On 3/21/20 1:06 PM, Philippe Mathieu-Daudé wrote:
On success, the fdopendir() call closes fd. Later on the error
path we try to close an already-closed fd. This can lead to
use-after-free. Fix by only closing the fd if the fdopendir()
call failed.
Cc: qemu-sta...@nongnu.org
Fixes: 7c6b66027 (Import passthrough_ll from libfuse fuse-3.8.0)
libfuse is correct, the bug was introduced in commit b39bce121b, so:
Fixes: b39bce121b (add dirp_map to hide lo_dirp pointers)
Reported-by: Coverity (CID 1421933 USE_AFTER_FREE)
Suggested-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
tools/virtiofsd/passthrough_ll.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 4f259aac70..4c35c95b25 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -1520,8 +1520,7 @@ out_err:
if (d) {
if (d->dp) {
closedir(d->dp);
- }
- if (fd != -1) {
+ } else if (fd != -1) {
close(fd);
}
free(d);