From 0a52f7f704daa0fd665ae129ede46414b24f270c Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Tue, 2 Oct 2018 19:10:23 +0900 Subject: [PATCH] fsal proxy: fix use-after-scope in create session csa_sec_parms_val was declared in its own scope but was used much later, we need to declare it outside of the helper and pass the address there. ==7480==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffea684340 at pc 0x7fffecec1e9c bp 0x7fffea683510 sp 0x7fffea683500 READ of size 4 at 0x7fffea684340 thread T5 #0 0x7fffecec1e9b in xdr_uint32_t /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:221 #1 0x7fffecec1ef7 in xdr_u_int32_t /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:236 #2 0x7fffecec9d88 in xdr_callback_sec_parms4 /src/nfs-ganesha/src/include/nfsv41.h:6750 #3 0x7fffecec3c3c in xdr_array_encode /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:848 #4 0x7fffecec3ef3 in xdr_array /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:891 #5 0x7fffececaa56 in xdr_CREATE_SESSION4args /src/nfs-ganesha/src/include/nfsv41.h:7049 #6 0x7fffecece544 in xdr_nfs_argop4 /src/nfs-ganesha/src/include/nfsv41.h:8233 #7 0x7fffecec3c3c in xdr_array_encode /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:848 #8 0x7fffecec3ef3 in xdr_array /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:891 #9 0x7fffececfef4 in xdr_COMPOUND4args /src/nfs-ganesha/src/include/nfsv41.h:8732 #10 0x7fffeced6f8c in pxy_compoundv4_call /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:764 #11 0x7fffeced834a in pxy_compoundv4_execute /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:857 #12 0x7fffeceda878 in pxy_setsessionid /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:966 #13 0x7fffecedc7eb in pxy_clientid_renewer /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:1147 #14 0x7ffff5572593 in start_thread /usr/src/debug/glibc-2.27-78-g2b47bb9cba/nptl/pthread_create.c:463 #15 0x7ffff4e84e6e in clone (/lib64/libc.so.6+0xf9e6e) Address 0x7fffea684340 is located in stack of thread T5 at offset 288 in frame #0 0x7fffeced9cbc in pxy_setsessionid /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:936 This frame has 7 object(s): [32, 36) 'seqid' [96, 100) 'fore_ca_rdma_ird_val_sink' [160, 164) 'back_ca_rdma_ird_val_sink' [224, 232) 'cid' [288, 336) 'csa_sec_parms_val' <== Memory access at offset 288 is inside this variable [384, 960) 'arg' [992, 1632) 'res' Change-Id: I597abb06747898418c907e33b57b1f0ac1f904f7 Signed-off-by: Dominique Martinet --- src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h | 8 ++++---- src/FSAL/FSAL_PROXY/handle.c | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h b/src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h index aec529bf44..da85c733b5 100644 --- a/src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h +++ b/src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h @@ -66,9 +66,9 @@ do { \ op->nfs_argop4_u.opreclaim_complete.rca_one_fs = false; \ } while (0) -#define COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, argarray, cid, seqid, info)\ +#define COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, argarray, cid, \ + seqid, info, sec_parms4) \ do { \ - callback_sec_parms4 csa_sec_parms_val; \ struct channel_attrs4 *fore_attrs; \ struct channel_attrs4 *back_attrs; \ CREATE_SESSION4args *opcreate_session; \ @@ -99,8 +99,8 @@ do { \ back_attrs->ca_rdma_ird.ca_rdma_ird_val = NULL; \ opcreate_session->csa_cb_program = info->srv_prognum; \ opcreate_session->csa_sec_parms.csa_sec_parms_len = 1; \ - csa_sec_parms_val.cb_secflavor = AUTH_NONE; \ - opcreate_session->csa_sec_parms.csa_sec_parms_val = &csa_sec_parms_val;\ + (sec_parms4)->cb_secflavor = AUTH_NONE; \ + opcreate_session->csa_sec_parms.csa_sec_parms_val = (sec_parms4); \ } while (0) #define COMPOUNDV4_ARG_ADD_OP_PUTROOTFH(opcnt, argarray) \ diff --git a/src/FSAL/FSAL_PROXY/handle.c b/src/FSAL/FSAL_PROXY/handle.c index 26516a968c..b3fda1e9a1 100644 --- a/src/FSAL/FSAL_PROXY/handle.c +++ b/src/FSAL/FSAL_PROXY/handle.c @@ -946,6 +946,7 @@ static int pxy_setsessionid(sessionid4 new_sessionid, uint32_t *lease_time, sequenceid4 seqid; CREATE_SESSION4res *s_res; CREATE_SESSION4resok *res_ok; + callback_sec_parms4 sec_parms4; uint32_t fore_ca_rdma_ird_val_sink; uint32_t back_ca_rdma_ird_val_sink; @@ -963,7 +964,7 @@ static int pxy_setsessionid(sessionid4 new_sessionid, uint32_t *lease_time, &back_ca_rdma_ird_val_sink; COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, arg, cid, seqid, - (&(pxy_exp->info))); + (&(pxy_exp->info)), &sec_parms4); rc = pxy_compoundv4_execute(__func__, NULL, opcnt, arg, res, pxy_exp); if (rc != NFS4_OK) return -1;