From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Benjamin Marzinski Date: Mon, 1 Feb 2021 19:47:11 -0600 Subject: [PATCH] libmultipath: fix use-after-free in uev_add_path if ev_remove_path() returns success the path has very likely been deleted. However, if pathinfo() returned something besides PATHINFO_OK, but ev_remove_path() succeeded, uev_add_path() was still accessing the the path afterwards, which would likely cause a use-after-free error. Insted, uev_add_path() should only continue to access the path if ev_remove_path() didn't succeed. Signed-off-by: Benjamin Marzinski --- multipathd/main.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/multipathd/main.c b/multipathd/main.c index 425492a9..19679848 100644 --- a/multipathd/main.c +++ b/multipathd/main.c @@ -890,13 +890,7 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map) */ pp->mpp = prev_mpp; ret = ev_remove_path(pp, vecs, true); - if (r == PATHINFO_OK && !ret) - /* - * Path successfully freed, move on to - * "new path" code path below - */ - pp = NULL; - else { + if (ret != 0) { /* * Failure in ev_remove_path will keep * path in pathvec in INIT_REMOVED state @@ -907,7 +901,12 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map) dm_fail_path(pp->mpp->alias, pp->dev_t); condlog(1, "%s: failed to re-add path still mapped in %s", pp->dev, pp->mpp->alias); - } + } else if (r == PATHINFO_OK) + /* + * Path successfully freed, move on to + * "new path" code path below + */ + pp = NULL; } else if (r == PATHINFO_SKIPPED) { condlog(3, "%s: remove blacklisted path", uev->kernel); -- 2.17.2