Opened 7 years ago

Closed 7 years ago

#13375 closed bug (no change required)

[PATCH] system/boot/loader/vfs.cpp: fix use after free

Reported by: mt Owned by: axeld
Priority: normal Milestone: Unscheduled
Component: System/Boot Loader Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

Since Node::Close() calls Node::Release() [1], dir->directory->Close() at line 1206 [2] could delete dir->directory itself, and then dir->directory may be used after free at next line 1207.

[1] http://cgit.haiku-os.org/haiku/tree/src/system/boot/loader/vfs.cpp#n111

[2] http://cgit.haiku-os.org/haiku/tree/src/system/boot/loader/vfs.cpp#n1206

Attachments (2)

0033-vfs.cpp-fix-use-after-free.patch (740 bytes ) - added by mt 7 years ago.
report-50f072.html (147.1 KB ) - added by mt 7 years ago.
Report by Clang Static Analyzer

Download all attachments as: .zip

Change History (4)

by mt, 7 years ago

Attachment: 0033-vfs.cpp-fix-use-after-free.patch added

comment:1 by mt, 7 years ago

patch: 01

by mt, 7 years ago

Attachment: report-50f072.html added

Report by Clang Static Analyzer

comment:2 by axeld, 7 years ago

Resolution: no change required
Status: newclosed

It's not a bug, though: opendir() acquires two references (in line 1170 and 1184), and closedir() loses them both again.

Thanks anyway, it's appreciated!

Note: See TracTickets for help on using tickets.