On Mon, Feb 24, 2020 at 09:57:03PM -0800, Eric Sandeen wrote: > On 2/24/20 4:11 PM, Darrick J. Wong wrote: > > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > > > Since libxfs doesn't allocate the struct xfs_mount *, we can't just free > > it during unmount. Zero its contents to prevent any use-after-free. > > seems fine but makes me wonder what prompted it. Did we have a use > after free? No, just Brian musing about the possibility of it, so I said I'd zero it out to make a UAF more obvious. > Reviewed-by: Eric Sandeen <sandeen@xxxxxxxxxx> Thanks for the review. --D > > > > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > --- > > libxfs/init.c | 1 + > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/libxfs/init.c b/libxfs/init.c > > index d4804ead..197690df 100644 > > --- a/libxfs/init.c > > +++ b/libxfs/init.c > > @@ -904,6 +904,7 @@ libxfs_umount( > > if (mp->m_logdev_targp != mp->m_ddev_targp) > > kmem_free(mp->m_logdev_targp); > > kmem_free(mp->m_ddev_targp); > > + memset(mp, 0, sizeof(struct xfs_mount)); > > > > return error; > > } > >
