[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix double-free on error condition in GnttabPermitForeignAccess()
- To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
- From: Paul Durrant <xadimgnik@xxxxxxxxx>
- Date: Thu, 14 Mar 2024 08:59:36 +0000
- Delivery-date: Thu, 14 Mar 2024 08:59:49 +0000
- List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>
On 13/03/2024 08:13, Owen Smith wrote:
Reviewed-by: Owen Smith <owen.smith@xxxxxxxxx <mailto:owen.smith@xxxxxxxxx>>
Acked-by: Paul Durrant <paul@xxxxxxx>
On Thu, Mar 7, 2024 at 10:19 AM Rafał Wojdyła
<omeg@xxxxxxxxxxxxxxxxxxxxxx <mailto:omeg@xxxxxxxxxxxxxxxxxxxxxx>> wrote:
XENIFACE_GNTTAB_CONTEXT associated with the request was incorrectly
freed
by GnttabPermitForeignAccess() when a failure occured. The context
is also
freed by the parent function, IoctlGnttabPermitForeignAccess(),
which led
to a double-free and kernel heap corruption.
GnttabStopSharing() as the final step in the failure path takes care
of cleaning up the contents of the (possibly partially initialized)
context.
Signed-off-by: Rafał Wojdyła <omeg@xxxxxxxxxxxxxxxxxxxxxx
<mailto:omeg@xxxxxxxxxxxxxxxxxxxxxx>>
Not sure why this ended up with the 'mailto' part; I'll delete it on commit.
---
src/xeniface/ioctl_gnttab.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/src/xeniface/ioctl_gnttab.c b/src/xeniface/ioctl_gnttab.c
index 8ab2099..026f29b 100644
--- a/src/xeniface/ioctl_gnttab.c
+++ b/src/xeniface/ioctl_gnttab.c
@@ -304,12 +304,6 @@ fail2:
fail1:
Error("Fail1\n");
GnttabStopSharing(Fdo, Context, Page);
-
- if (Context != NULL) {
- RtlZeroMemory(Context, sizeof(*Context));
- __FreePoolWithTag(Context, XENIFACE_POOL_TAG);
- }
-
return Status;
}
--
2.43.0.windows.1
|
