Manage: fix check after dereference issue

(cherry picked from commit 49e751139841591aa3895a78efbfd84fbc0d2eeb)
2024-06-24 20:34:03 +08:00 · 2024-06-24 20:34:03 +08:00 · 95ce43c147
commit 95ce43c147
parent 0503c81df8
3 changed files with 144 additions and 1 deletions
--- a/0013-Fix-memory-leak-in-file-Manage.patch
+++ b/0013-Fix-memory-leak-in-file-Manage.patch
@ -0,0 +1,74 @@
+From f6feb3fbb50f48c193e9e4d775a20aa20f7b47b3 Mon Sep 17 00:00:00 2001
+From: Guanqin Miao <miaoguanqin@huawei.com>
+Date: Mon, 24 Apr 2023 16:06:36 +0800
+Subject: [PATCH] Fix memory leak in file Manage
+
+When we test mdadm with asan, we found some memory leaks in Manage.c
+We fix these memory leaks based on code logic.
+
+v2: Fix free() of uninitialized 'tst' in abort path.
+
+Signed-off-by: Guanqin Miao <miaoguanqin@huawei.com>
+Signed-off-by: Li Xiao Keng <lixiaokeng@huawei.com>
+Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
+---
+ Manage.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/Manage.c b/Manage.c
+index f54de7c6..f997b163 100644
+--- a/Manage.c
+++ b/Manage.c
+@@ -222,6 +222,7 @@ int Manage_stop(char *devname, int fd, int verbose, int will_retry)
+ 		if (verbose >= 0)
+ 			pr_err("Cannot get exclusive access to %s:Perhaps a running process, mounted filesystem or active volume group?\n",
+ 			       devname);
+		sysfs_free(mdi);
+ 		return 1;
+ 	}
+ 	/* If this is an mdmon managed array, just write 'inactive'
+@@ -801,8 +802,14 @@ int Manage_add(int fd, int tfd, struct mddev_dev *dv,
+ 						    rdev, update, devname,
+ 						    verbose, array);
+ 				dev_st->ss->free_super(dev_st);
+-				if (rv)
+				if (rv) {
+					free(dev_st);
+ 					return rv;
+				}
+			}
+			if (dev_st) {
+				dev_st->ss->free_super(dev_st);
+				free(dev_st);
+ 			}
+ 		}
+ 		if (dv->disposition == 'M') {
+@@ -1362,7 +1369,7 @@ int Manage_subdevs(char *devname, int fd,
+ 	unsigned long long array_size;
+ 	struct mddev_dev *dv;
+ 	int tfd = -1;
+-	struct supertype *tst;
+	struct supertype *tst = NULL;
+ 	char *subarray = NULL;
+ 	int sysfd = -1;
+ 	int count = 0; /* number of actions taken */
+@@ -1699,6 +1706,7 @@ int Manage_subdevs(char *devname, int fd,
+ 			break;
+ 		}
+ 	}
+	free(tst);
+ 	if (frozen > 0)
+ 		sysfs_set_str(&info, NULL, "sync_action","idle");
+ 	if (test && count == 0)
+@@ -1706,6 +1714,7 @@ int Manage_subdevs(char *devname, int fd,
+ 	return 0;
+ 
+ abort:
+	free(tst);
+ 	if (frozen > 0)
+ 		sysfs_set_str(&info, NULL, "sync_action","idle");
+ 	return !test && busy ? 2 : 1;
+-- 
+2.39.2
+
--- a/0014-Manage-fix-check-after-dereference-issue.patch
+++ b/0014-Manage-fix-check-after-dereference-issue.patch
@ -0,0 +1,64 @@
+From e97ca3583c96591af0e4863c12c394074a51c84d Mon Sep 17 00:00:00 2001
+From: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Date: Thu, 29 Feb 2024 12:52:07 +0100
+Subject: [PATCH] Manage: fix check after dereference issue
+
+The code dereferences dev_st earlier without checking, it gives SAST
+problem.
+
+dev_st is needed for attempt_re_add(), but it is executed only if
+dv->disposition != 'S', so move disposition check up.
+
+tst is a must to reach this place, dup_super() have to return valid
+pointer, all it needs to check is if load_super() returns superblock.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+---
+ Manage.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/Manage.c b/Manage.c
+index 30302ac8..77b79cf5 100644
+--- a/Manage.c
+++ b/Manage.c
+@@ -794,25 +794,23 @@ int Manage_add(int fd, int tfd, struct mddev_dev *dv,
+ 		 * simply re-add it.
+ 		 */
+ 
+-		if (array->not_persistent == 0) {
+		if (array->not_persistent == 0 && dv->disposition != 'S') {
+			int rv = 0;
+
+ 			dev_st = dup_super(tst);
+ 			dev_st->ss->load_super(dev_st, tfd, NULL);
+-			if (dev_st->sb && dv->disposition != 'S') {
+-				int rv;
+ 
+-				rv = attempt_re_add(fd, tfd, dv, dev_st, tst,
+-						    rdev, update, devname,
+-						    verbose, array);
+-				dev_st->ss->free_super(dev_st);
+-				if (rv) {
+-					free(dev_st);
+-					return rv;
+-				}
+-			}
+-			if (dev_st) {
+			if (dev_st->sb) {
+				rv = attempt_re_add(fd, tfd, dv, dev_st, tst, rdev, update,
+						    devname, verbose, array);
+
+ 				dev_st->ss->free_super(dev_st);
+-				free(dev_st);
+ 			}
+
+			free(dev_st);
+
+			if (rv)
+				return rv;
+ 		}
+ 		if (dv->disposition == 'M') {
+ 			if (verbose > 0)
+-- 
+2.39.2
+
--- a/mdadm.spec
+++ b/mdadm.spec
@ -1,6 +1,6 @@
 Name:     mdadm
 Version:  4.2
-Release:  11
+Release:  12
 Summary:  The software RAID arrays user manage tools
 License:  GPLv2+
 URL:      http://www.kernel.org/pub/linux/utils/raid/mdadm/
@ -22,6 +22,8 @@ Patch9:  0009-fix-mdmonitor-oneshot.service-start-error.patch
 Patch10: 0010-Fix-null-pointer-for-incremental-in-mdadm.patch
 Patch11: 0011-Fix-race-of-mdadm-add-and-mdadm-incremental.patch
 Patch12: 0012-mdadm-Fix-double-free.patch
+Patch13: 0013-Fix-memory-leak-in-file-Manage.patch
+Patch14: 0014-Manage-fix-check-after-dereference-issue.patch

 BuildRequires:    systemd gcc binutils libudev-devel
 Requires(post):   systemd coreutils
@ -87,6 +89,9 @@ install -d -m 710 %{buildroot}/var/run/mdadm/
 %{_mandir}/man*/*

 %changelog
+* Fri Jun 28 2024 wuguanghao <wuguanghao3@huawei.com> - 4.2-12
+- Manage: fix check after dereference issue
+
 * Wed May 29 2024 liuh <liuhuan01@kylinos.cn> - 4.2-11
 - sync patch from community