On 15/01/2025 00:27, Viacheslav Dubeyko wrote:
I have some worry here. Maybe, I am wrong. Initially, we receive tpath pointer as function argument: https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5605 Then, we assign tpath to _tpath: https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5651 We allocate memory by condition: if (spath && (m = strlen(spath)) != 1) { /* mount path + '/' + tpath + an extra space */ n = m + 1 + tlen + 1; _tpath = kmalloc(n, GFP_NOFS); if (!_tpath) return -ENOMEM; /* remove the leading '/' */ snprintf(_tpath, n, "%s/%s", spath + 1, tpath); free_tpath = true; tlen = strlen(_tpath); } https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5660 What if condition is not true and we don't allocate memory? We still have _tpath keeping the pointer on tpath and kfree() will be called. It sounds for me that we can free tpath and caller of ceph_mds_auth_match() will have use-after-free issue. Am I right here? Do I miss something here?
Hello Slava,actually, we check that free_tpath is set to true before trying to free _tpath, and the only time free_tpath is set to true is after a successful kmalloc assigned to _tpath.
+ if (free_tpath) + kfree(_tpath);
Thanks, Slava.
Antoine
Attachment:
OpenPGP_0xD126B13AB555E16F.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
