Fix use-after-free in flashcache_destroy #107

Merged
merged 1 commit into from Feb 10, 2013

2 participants

@Zedzap

The sb variable points to buf. Then buf gets freed and reallocated, so the sb pointer points to freed memory. The variable is then reused to invalidate the cache_sb_state, which is writing to memory that has been freed. In addition, that change never gets saved because the buf that is written to disk does not point to the same memory as sb.

Fixed this by using a separate buffer for the superblock that doesn't get freed.

@Zedzap Zedzap Fix use-after-free in flashcache_destroy
The sb variable points to buf. But buf gets freed and reallocated, so
the old pointer points to freed memory. The variable is then reused to
invalidate the cache_sb_state, but the change never gets saved
because the buf that is written to disk does not point to the same
memory.
f5ca34e
@mohans mohans merged commit 6423f40 into facebookarchive:master Feb 10, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment