Bug ID 1193334
Summary multipathd: double free in remove_map()
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee screening-team-bugs@suse.de
Reporter martin.wilck@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Original bug report from Lixiaokeng ("libmultipath: clear removed path from
mpp") upstream:

    multipathd[3525635]: ==3525635==ERROR: AddressSanitizer:
heap-use-after-free on address 0xffffa4902fc0 at pc 0xffffac7d5b88 bp
0xffffa948dac0 sp 0xffffa948dae0
    multipathd[3525635]: READ of size 8 at 0xffffa4902fc0 thread T7
    multipathd[3525635]:    #0 0xffffac7d5b87 in free_multipath
(/usr/lib64/libmultipath.so.0+0x4bb87)
    multipathd[3525635]:    #1 0xaaaad6cf7057  (/usr/sbin/multipathd+0x17057)
    multipathd[3525635]:    #2 0xaaaad6cf78eb  (/usr/sbin/multipathd+0x178eb)
    multipathd[3525635]:    #3 0xaaaad6cff4df  (/usr/sbin/multipathd+0x1f4df)
    multipathd[3525635]:    #4 0xaaaad6cfffe7  (/usr/sbin/multipathd+0x1ffe7)
    multipathd[3525635]:    #5 0xffffac807be3 in uevent_dispatch
(/usr/lib64/libmultipath.so.0+0x7dbe3)
    multipathd[3525635]:    #6 0xaaaad6cf563f  (/usr/sbin/multipathd+0x1563f)
    multipathd[3525635]:    #7 0xffffac6877af 
(/usr/lib64/libpthread.so.0+0x87af)
    multipathd[3525635]:    #8 0xffffac44118b  (/usr/lib64/libc.so.6+0xd518b)
    multipathd[3525635]: 0xffffa4902fc0 is located 1344 bytes inside of
1440-byte region [0xffffa4902a80,0xffffa4903020)
    multipathd[3525635]: freed by thread T7 here:
    multipathd[3525635]:    #0 0xffffac97d703 in free
(/usr/lib64/libasan.so.4+0xd0703)
    multipathd[3525635]:    #1 0xffffac824827 in orphan_paths
(/usr/lib64/libmultipath.so.0+0x9a827)
    multipathd[3525635]:    #2 0xffffac824a43 in remove_map
(/usr/lib64/libmultipath.so.0+0x9aa43)
    multipathd[3525635]:    #3 0xaaaad6cf7057  (/usr/sbin/multipathd+0x17057)
    multipathd[3525635]:    #4 0xaaaad6cf78eb  (/usr/sbin/multipathd+0x178eb)
    multipathd[3525635]:    #5 0xaaaad6cff4df  (/usr/sbin/multipathd+0x1f4df)
    multipathd[3525635]:    #6 0xaaaad6cfffe7  (/usr/sbin/multipathd+0x1ffe7)
    multipathd[3525635]:    #7 0xffffac807be3 in uevent_dispatch
(/usr/lib64/libmultipath.so.0+0x7dbe3)
    multipathd[3525635]:    #8 0xaaaad6cf563f  (/usr/sbin/multipathd+0x1563f)
    multipathd[3525635]:    #9 0xffffac6877af 
(/usr/lib64/libpthread.so.0+0x87af)
    multipathd[3525635]:    #10 0xffffac44118b  (/usr/lib64/libc.so.6+0xd518b)

    When mpp only has one path and log out the path, there is an asan error.
    In remove_mpp, the pp is freed firstly in orphan_path but is accessed,
    changed in free_multipath later. Before free_path(pp), the pp should be
    cleared from pp->mpp.

You are receiving this mail because: