mirror of
git://sourceware.org/git/lvm2.git
synced 2024-12-21 13:34:40 +03:00
pvmove: fix possible memory pool corruption
This is a hotfix for a bug introduced in
6d7dc87cb3
.
The bug description: First we allocate memory for
processing handle (at an address 1) then we
allocate some memory on the same pool for later use
in pvmove_poll function inside the process_each_pv
function (at an address 2). After we jump out of
process_each_pv we called destroy_processing_handle.
As a result of destroying the handle memory pool could
deallocate all memory at address 1 or higher. The
pvmove_poll function tried to copy a memory allocated
at address 2 that could be returned to the system.
If it was so it led to segfault.
We need to rethink proper fix but in the same time
cmd->mem pool is recreated per each lvm command so
this should not cause problems even when we run
multiple commands in lvm shell.
A valgrind snapshot of the corruption:
Invalid read of size 1
at 0x4C29F92: strlen (mc_replace_strmem.c:403)
by 0x5495F2E: dm_pool_strdup (pool.c:51)
by 0x1592A7: _create_id (pvmove.c:774)
by 0x159409: pvmove_poll (pvmove.c:796)
by 0x1599E3: pvmove (pvmove.c:931)
by 0x15105B: lvm_run_command (lvmcmdline.c:1655)
by 0x1523C3: lvm2_main (lvmcmdline.c:2121)
by 0x1754F3: main (lvm.c:22)
Address 0xf15df8a is 138 bytes inside a block of size 8,192 free'd
at 0x4C28430: free (vg_replace_malloc.c:446)
by 0x5494E73: dm_free_wrapper (dbg_malloc.c:357)
by 0x5495DE2: _free_chunk (pool-fast.c:318)
by 0x549561C: dm_pool_free (pool-fast.c:151)
by 0x164451: destroy_processing_handle (toollib.c:1837)
by 0x1598C1: pvmove (pvmove.c:903)
by 0x15105B: lvm_run_command (lvmcmdline.c:1655)
by 0x1523C3: lvm2_main (lvmcmdline.c:2121)
by 0x1754F3: main (lvm.c:22)
This commit is contained in:
parent
a077a64983
commit
0daf9d7ac5
@ -1,5 +1,6 @@
|
||||
Version 2.02.142 -
|
||||
====================================
|
||||
Fix memory pool corruption in pvmove (2.02.141).
|
||||
Support control of spare metadata creation when repairing thin-pool.
|
||||
Fix config type of 'log/verbose' from bool to int (2.02.99).
|
||||
Fix thinp watermark calc for data LV for faster dmeventd responce (2.02.133).
|
||||
|
@ -1834,7 +1834,11 @@ void destroy_processing_handle(struct cmd_context *cmd, struct processing_handle
|
||||
if (handle) {
|
||||
if (handle->selection_handle && handle->selection_handle->selection_rh)
|
||||
dm_report_free(handle->selection_handle->selection_rh);
|
||||
dm_pool_free(cmd->mem, handle);
|
||||
/*
|
||||
* TODO: think about better alternatives:
|
||||
* handle mempool, dm_alloc for handle memory...
|
||||
*/
|
||||
memset(handle, 0, sizeof(*handle));
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user