Files · b4768792397e8cb161a576de71d5995c7c3fb5d7 · zhul / criu

irmap: Get root mntfd before releasing tasks on predump · b4768792

Pavel Emelyanov authored Sep 30, 2014

We have a use-after-free in predump code:

1st the free_pstree() is called in pre_dump_tasks(), then we
go to irmap_predump_run() which may call the lookup_irmap()
which, in turn, dereferences the root_item to get the root
mount ns fd.

But the problem is bigger than that. After we've released the
tasks (done before freeing pstree on predump) we can no longer
access them by PIDs, so keeping the root-item after irmap
scan is not a fix.

Fix is to get the root fd before releasing the tasks and using
one in irmap scanner.

Caught recently on iterative inotify_irmap test.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Andrew Vagin <avagin@parallels.com>

b4768792

Name	Last commit	Last update
Documentation		Loading commit data...
arch		Loading commit data...
contrib		Loading commit data...
include		Loading commit data...
lib		Loading commit data...
pie		Loading commit data...
protobuf		Loading commit data...
scripts		Loading commit data...
test		Loading commit data...
.gitignore		Loading commit data...
.mailmap		Loading commit data...
.travis.yml		Loading commit data...
COPYING		Loading commit data...
CREDITS		Loading commit data...
Makefile		Loading commit data...
Makefile.config		Loading commit data...
Makefile.crtools		Loading commit data...
Makefile.inc		Loading commit data...
README		Loading commit data...
action-scripts.c		Loading commit data...
bfd.c		Loading commit data...
cgroup.c		Loading commit data...
cr-check.c		Loading commit data...
cr-dedup.c		Loading commit data...
cr-dump.c		Loading commit data...
cr-exec.c		Loading commit data...
cr-restore.c		Loading commit data...
cr-service.c		Loading commit data...
cr-show.c		Loading commit data...
crtools		Loading commit data...
crtools.c		Loading commit data...
eventfd.c		Loading commit data...
eventpoll.c		Loading commit data...
fifo.c		Loading commit data...
file-ids.c		Loading commit data...
file-lock.c		Loading commit data...
files-ext.c		Loading commit data...
files-reg.c		Loading commit data...
files.c		Loading commit data...
fsnotify.c		Loading commit data...
image-desc.c		Loading commit data...
image.c		Loading commit data...
ipc_ns.c		Loading commit data...
irmap.c		Loading commit data...
kcmp-ids.c		Loading commit data...
kerndat.c		Loading commit data...
libnetlink.c		Loading commit data...
log.c		Loading commit data...
mem.c		Loading commit data...
mount.c		Loading commit data...
namespaces.c		Loading commit data...
net.c		Loading commit data...
netfilter.c		Loading commit data...
page-pipe.c		Loading commit data...
page-read.c		Loading commit data...
page-xfer.c		Loading commit data...
pagemap-cache.c		Loading commit data...
parasite-syscall.c		Loading commit data...
pipes.c		Loading commit data...
plugin.c		Loading commit data...
proc_parse.c		Loading commit data...
protobuf-desc.c		Loading commit data...
protobuf.c		Loading commit data...
pstree.c		Loading commit data...
ptrace.c		Loading commit data...
rbtree.c		Loading commit data...
rst-malloc.c		Loading commit data...
sd-daemon.c		Loading commit data...
sd-daemon.h		Loading commit data...
security.c		Loading commit data...
shmem.c		Loading commit data...
sigframe.c		Loading commit data...
signalfd.c		Loading commit data...
sk-inet.c		Loading commit data...
sk-netlink.c		Loading commit data...
sk-packet.c		Loading commit data...
sk-queue.c		Loading commit data...
sk-tcp.c		Loading commit data...
sk-unix.c		Loading commit data...
sockets.c		Loading commit data...
stats.c		Loading commit data...
string.c		Loading commit data...
sysctl.c		Loading commit data...
sysfs_parse.c		Loading commit data...
timerfd.c		Loading commit data...
tty.c		Loading commit data...
tun.c		Loading commit data...
util.c		Loading commit data...
uts_ns.c		Loading commit data...

README