Quoting Nathan Lynch (ntl@xxxxxxxxx): > "Serge E. Hallyn" <serge@xxxxxxxxxx> writes: > > > Quoting Nathan Lynch (ntl@xxxxxxxxx): > >> "Serge E. Hallyn" <serue@xxxxxxxxxx> writes: > >> > >> > Else my checkpoing image gets reeeaallly huge. Just passing the > >> > result of sizeof() however does the right thing. > >> > > >> > Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> > >> > --- > >> > checkpoint/namespace.c | 12 ++++++------ > >> > 1 files changed, 6 insertions(+), 6 deletions(-) > >> > >> But right above the code you're changing we have: > >> > >> h->sysname_len = sizeof(name->sysname); > >> h->nodename_len = sizeof(name->nodename); > >> h->release_len = sizeof(name->release); > >> h->version_len = sizeof(name->version); > >> h->machine_len = sizeof(name->machine); > >> h->domainname_len = sizeof(name->domainname); > >> > >> Your patch shouldn't change any behavior. What gives? > > > > "Shouldn't", perhaps, but does. > > > Revisiting do_checkpoint_uts_ns, I think it's a case of use after free: > > h = ckpt_hdr_get_type(ctx, sizeof(*h), CKPT_HDR_UTS_NS); > if (!h) > return -ENOMEM; > > h->sysname_len = sizeof(name->sysname); > h->nodename_len = sizeof(name->nodename); > h->release_len = sizeof(name->release); > h->version_len = sizeof(name->version); > h->machine_len = sizeof(name->machine); > h->domainname_len = sizeof(name->domainname); > > ret = ckpt_write_obj(ctx, &h->h); > ckpt_hdr_put(ctx, h); > if (ret < 0) > return ret; > > down_read(&uts_sem); > ret = ckpt_write_string(ctx, name->sysname, h->sysname_len); > > We're continuing to use h's memory after it has been released by > ckpt_hdr_put. Seems plausible that the poison values written by sl*b > debug would cause the len argument to be ridiculously large. Haha. Can't believe I didn't see that! Thanks. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
