diff options
| author | Peter Rajnoha <prajnoha@redhat.com> | 2016-01-11 12:51:08 +0100 |
|---|---|---|
| committer | Peter Rajnoha <prajnoha@redhat.com> | 2016-01-11 12:51:08 +0100 |
| commit | a83d611a86e6da31f255d5d87adf14cb3d62a05a (patch) | |
| tree | 8f2584bbfa235a5a4ef8b8c067819653addee9d8 | |
| parent | 0dac4f09b4fcf752b039a80707653d3b655fc020 (diff) | |
| download | lvm2-a83d611a86e6da31f255d5d87adf14cb3d62a05a.tar.gz | |
report: fix invalid memory read when reporting cache LV policy name
Fix regression caused by commit c2d4330f27277717bc3b684b702189079b257b77
which removed the dm_pool_strdup for the cache policy name in
_cache_policy_disp report function.
This regression was hit with buffered reporting only (which is
used by default). The reason is that for buffered reporting, we're
iterating over LVs in VG (process_each_lv) while gathering
all the information that is needed for the report. In this case,
the LV's cache policy name has not been duped, but only the pointer
to the original VG buffer was stored. When the LV iteration finished,
the VG buffer was freed and any report to output called later
(dm_report_output call) accessed already freed VG data.
This didn't appear if unbuffered reporting was used (--unbuffered)
because in this case, the data were reported to output as
soon as they were processed, hence it was reported to output
before the VG data was freed.
| -rw-r--r-- | WHATS_NEW | 1 | ||||
| -rw-r--r-- | lib/report/report.c | 8 |
2 files changed, 8 insertions, 1 deletions
@@ -1,5 +1,6 @@ Version 2.02.140 - =================================== + Fix invalid memory read when reporting cache LV policy_name (2.02.126). Version 2.02.139 - 8th January 2016 =================================== diff --git a/lib/report/report.c b/lib/report/report.c index 91522b10b..2fdf509d8 100644 --- a/lib/report/report.c +++ b/lib/report/report.c @@ -1417,6 +1417,7 @@ static int _cache_policy_disp(struct dm_report *rh, struct dm_pool *mem, const void *data, void *private) { const struct lv_segment *seg = (const struct lv_segment *) data; + const char *cache_policy_name; if (seg_is_cache(seg)) seg = first_seg(seg->pool_lv); @@ -1429,7 +1430,12 @@ static int _cache_policy_disp(struct dm_report *rh, struct dm_pool *mem, return 0; } - return _field_set_value(field, seg->policy_name, NULL); + if (!(cache_policy_name = dm_pool_strdup(mem, seg->policy_name))) { + log_error("dm_pool_strdup failed"); + return 0; + } + + return _field_set_value(field, cache_policy_name, NULL); } static int _modules_disp(struct dm_report *rh, struct dm_pool *mem, |