Bug #37508: rbd_snap_list_end() segfaults if rbd_snap_list() fails - rbd - Ceph

Bug #37508

rbd_snap_list_end() segfaults if rbd_snap_list() fails

Added by Kefu Chai about 2 years ago. Updated about 2 years ago.

Status:

Pending Backport

Priority:

Normal

Assignee:

Kefu Chai

Target version:

% Done:

Source:

Tags:

Backport:

luminous, mimic

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

Crash signature:

Description

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by SnapIterator.__dealloc__(). and rbd_snap_list_end() freessnaps->name if it is not nullptr. but there is chance that snaps->name is never initialized after snaps is allocated by SnapIterator.__init__, in that case, we will free() a wild pointer.

Related issues

History

#1 Updated by Kefu Chai about 2 years ago

Status changed from In Progress to Fix Under Review

https://github.com/ceph/ceph/pull/25379

#2 Updated by Jason Dillaman about 2 years ago

Status changed from Fix Under Review to Pending Backport

#3 Updated by Nathan Cutler about 2 years ago

Copied to Backport #37535: luminous: rbd_snap_list_end() segfaults if rbd_snap_list() fails added

#4 Updated by Nathan Cutler about 2 years ago

Copied to Backport #37536: mimic: rbd_snap_list_end() segfaults if rbd_snap_list() fails added

Also available in: Atom PDF

	Copied to rbd - Backport #37535: luminous: rbd_snap_list_end() segfaults if rbd_snap_list() fails	Resolved
	Copied to rbd - Backport #37536: mimic: rbd_snap_list_end() segfaults if rbd_snap_list() fails	In Progress

Project

General

Profile

Ceph » rbd

Issues

Tags

Custom queries