device-mapper-multipath/0122-libmultipath-fix-use-after-free-in-uev_add_path.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Benjamin Marzinski <bmarzins@redhat.com>
Date: Mon, 1 Feb 2021 19:47:11 -0600
Subject: [PATCH] libmultipath: fix use-after-free in uev_add_path

if ev_remove_path() returns success the path has very likely been
deleted. However, if pathinfo() returned something besides PATHINFO_OK,
but ev_remove_path() succeeded, uev_add_path() was still accessing the
the path afterwards, which would likely cause a use-after-free error.
Insted, uev_add_path() should only continue to access the path if
ev_remove_path() didn't succeed.

Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
---
 multipathd/main.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/multipathd/main.c b/multipathd/main.c
index 425492a9..19679848 100644
--- a/multipathd/main.c
+++ b/multipathd/main.c
@@ -890,13 +890,7 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map)
 				 */
 				pp->mpp = prev_mpp;
 				ret = ev_remove_path(pp, vecs, true);
-				if (r == PATHINFO_OK && !ret)
-					/*
-					 * Path successfully freed, move on to
-					 * "new path" code path below
-					 */
-					pp = NULL;
-				else {
+				if (ret != 0) {
 					/*
 					 * Failure in ev_remove_path will keep
 					 * path in pathvec in INIT_REMOVED state
@@ -907,7 +901,12 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map)
 					dm_fail_path(pp->mpp->alias, pp->dev_t);
 					condlog(1, "%s: failed to re-add path still mapped in %s",
 						pp->dev, pp->mpp->alias);
-				}
+				} else if (r == PATHINFO_OK)
+					/*
+					 * Path successfully freed, move on to
+					 * "new path" code path below
+					 */
+					pp = NULL;
 			} else if (r == PATHINFO_SKIPPED) {
 				condlog(3, "%s: remove blacklisted path",
 					uev->kernel);
-- 
2.17.2
Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/device-mapper-multipath.git#9fdf79cddf3be4e872b8d515e240dd533ea8dd34 2021-02-12 19:25:37 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: Benjamin Marzinski <bmarzins@redhat.com>`
			`Date: Mon, 1 Feb 2021 19:47:11 -0600`
			`Subject: [PATCH] libmultipath: fix use-after-free in uev_add_path`

			`if ev_remove_path() returns success the path has very likely been`
			`deleted. However, if pathinfo() returned something besides PATHINFO_OK,`
			`but ev_remove_path() succeeded, uev_add_path() was still accessing the`
			`the path afterwards, which would likely cause a use-after-free error.`
			`Insted, uev_add_path() should only continue to access the path if`
			`ev_remove_path() didn't succeed.`

			`Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>`
			`---`
			`multipathd/main.c \| 15 +++++++--------`
			`1 file changed, 7 insertions(+), 8 deletions(-)`

			`diff --git a/multipathd/main.c b/multipathd/main.c`
			`index 425492a9..19679848 100644`
			`--- a/multipathd/main.c`
			`+++ b/multipathd/main.c`
			`@@ -890,13 +890,7 @@ uev_add_path (struct uevent uev, struct vectors vecs, int need_do_map)`
			`*/`
			`pp->mpp = prev_mpp;`
			`ret = ev_remove_path(pp, vecs, true);`
			`- if (r == PATHINFO_OK && !ret)`
			`- /*`
			`- * Path successfully freed, move on to`
			`- * "new path" code path below`
			`- */`
			`- pp = NULL;`
			`- else {`
			`+ if (ret != 0) {`
			`/*`
			`* Failure in ev_remove_path will keep`
			`* path in pathvec in INIT_REMOVED state`
			`@@ -907,7 +901,12 @@ uev_add_path (struct uevent uev, struct vectors vecs, int need_do_map)`
			`dm_fail_path(pp->mpp->alias, pp->dev_t);`
			`condlog(1, "%s: failed to re-add path still mapped in %s",`
			`pp->dev, pp->mpp->alias);`
			`- }`
			`+ } else if (r == PATHINFO_OK)`
			`+ /*`
			`+ * Path successfully freed, move on to`
			`+ * "new path" code path below`
			`+ */`
			`+ pp = NULL;`
			`} else if (r == PATHINFO_SKIPPED) {`
			`condlog(3, "%s: remove blacklisted path",`
			`uev->kernel);`
			`--`
			`2.17.2`