Bug 1448397
| Summary: | dmfilemapd segfault with wrong number of arguments | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Bryn M. Reeves <bmr> |
| Component: | lvm2 | Assignee: | Bryn M. Reeves <bmr> |
| lvm2 sub component: | Other | QA Contact: | cluster-qe <cluster-qe> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | low | ||
| Priority: | low | CC: | agk, cmarthal, heinzm, jbrassow, msnitzer, prajnoha, prockai, rbednar, zkabelac |
| Version: | 7.4 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lvm2-2.02.171-2.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 21:54:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Coverity spotted another error in dmfilemapd: a local variable that can now be accessed before its assignment when the monitored file is unlinked. If possible we should also pull this fix in:
commit a9940d16fe5251f2f1d7cb008cfd3be1bfb50120
Author: Bryn M. Reeves <bmr>
Date: Mon May 8 17:10:25 2017 +0100
dmfilemapd: always initialise 'same' local variable (Coverity)
Fix a regression introduced in 70bb726 that allows a local variable
in the monitored file checking routine to be accessed before its
assignment when the file has already been unlinked.
This is the fix for this bug:
commit 7fbeea30e5ce4dbb4877910877575ed6c37dfb8c
Author: Bryn M. Reeves <bmr>
Date: Fri May 5 11:48:54 2017 +0100
dmfilemapd: clear filemap_monitor before calling _parse_args()
If the wrong number of arguments are given, main() will attempt
to free the uninitialised pointer in fm.path.
The following commit isn't directly related but was made while reviewing changes for this bug:
commit a9940d16fe5251f2f1d7cb008cfd3be1bfb50120
Author: Bryn M. Reeves <bmr>
Date: Mon May 8 17:10:25 2017 +0100
dmfilemapd: always initialise 'same' local variable (Coverity)
Fix a regression introduced in 70bb726 that allows a local variable
in the monitored file checking routine to be accessed before its
assignment when the file has already been unlinked.
Marking verified. BEFORE PATCH: # dmfilemapd Wrong number of arguments. usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]] Segmentation fault (core dumped) AFTER PATCH: # dmfilemapd Wrong number of arguments. usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]] 3.10.0-671.el7.x86_64 lvm2-2.02.171-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 lvm2-libs-2.02.171-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 lvm2-cluster-2.02.171-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 device-mapper-1.02.140-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 device-mapper-libs-1.02.140-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 device-mapper-event-1.02.140-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 device-mapper-event-libs-1.02.140-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 device-mapper-persistent-data-0.7.0-0.1.rc6.el7 BUILT: Mon Mar 27 17:15:46 CEST 2017 cmirror-2.02.171-2.el7 BUILT: Wed May 24 16:02:34 CEST 2017 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2222 |
Description of problem: If the dmfilemapd daemon is run with the wrong number of arguments it will segfault after printing the usage message: # dmfilemapd Wrong number of arguments. usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]] Segmentation fault (core dumped) This is because the struct filemap_monitor (that stores the context the daemon is monitoring) is not cleared until after the argument count has been checked in _parse_args(): this means that an error is returned to main() which will then attempt to free the fm.path pointer. As the struct has not been initialised this field contains garbage from the stack. Version-Release number of selected component (if applicable): lvm2-2.02.171.el7 device-mapper-1.02.140-1.el7 How reproducible: 100% Steps to Reproduce: 1. dmfilemapd Actual results: # dmfilemapd Wrong number of arguments. usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]] Segmentation fault (core dumped) Expected results: # dmfilemapd Wrong number of arguments. usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]] Additional info: Fixed upstream: commit 7fbeea30e5ce4dbb4877910877575ed6c37dfb8c Author: Bryn M. Reeves <bmr> Date: Fri May 5 11:48:54 2017 +0100 dmfilemapd: clear filemap_monitor before calling _parse_args() If the wrong number of arguments are given, main() will attempt to free the uninitialised pointer in fm.path.