Skip to content

Commit

Permalink
fsal proxy: fix use-after-scope in create session
Browse files Browse the repository at this point in the history 
csa_sec_parms_val was declared in its own scope but was used much
later, we need to declare it outside of the helper and pass the
address there.

==7480==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fffea684340 at pc 0x7fffecec1e9c bp 0x7fffea683510 sp 0x7fffea683500
READ of size 4 at 0x7fffea684340 thread T5

    #0 0x7fffecec1e9b in xdr_uint32_t /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:221
    #1 0x7fffecec1ef7 in xdr_u_int32_t /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:236
    #2 0x7fffecec9d88 in xdr_callback_sec_parms4 /src/nfs-ganesha/src/include/nfsv41.h:6750
    #3 0x7fffecec3c3c in xdr_array_encode /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:848
    #4 0x7fffecec3ef3 in xdr_array /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:891
    #5 0x7fffececaa56 in xdr_CREATE_SESSION4args /src/nfs-ganesha/src/include/nfsv41.h:7049
    #6 0x7fffecece544 in xdr_nfs_argop4 /src/nfs-ganesha/src/include/nfsv41.h:8233
    #7 0x7fffecec3c3c in xdr_array_encode /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:848
    #8 0x7fffecec3ef3 in xdr_array /src/nfs-ganesha/src/libntirpc/ntirpc/rpc/xdr_inline.h:891
    #9 0x7fffececfef4 in xdr_COMPOUND4args /src/nfs-ganesha/src/include/nfsv41.h:8732
    #10 0x7fffeced6f8c in pxy_compoundv4_call /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:764
    #11 0x7fffeced834a in pxy_compoundv4_execute /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:857
    #12 0x7fffeceda878 in pxy_setsessionid /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:966
    #13 0x7fffecedc7eb in pxy_clientid_renewer /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:1147
    #14 0x7ffff5572593 in start_thread /usr/src/debug/glibc-2.27-78-g2b47bb9cba/nptl/pthread_create.c:463
    #15 0x7ffff4e84e6e in clone (/lib64/libc.so.6+0xf9e6e)

Address 0x7fffea684340 is located in stack of thread T5 at offset 288 in frame
    #0 0x7fffeced9cbc in pxy_setsessionid /src/nfs-ganesha/src/FSAL/FSAL_PROXY/handle.c:936

  This frame has 7 object(s):
    [32, 36) 'seqid'
    [96, 100) 'fore_ca_rdma_ird_val_sink'
    [160, 164) 'back_ca_rdma_ird_val_sink'
    [224, 232) 'cid'
    [288, 336) 'csa_sec_parms_val' <== Memory access at offset 288 is inside this variable
    [384, 960) 'arg'
    [992, 1632) 'res'

Change-Id: I597abb06747898418c907e33b57b1f0ac1f904f7
Signed-off-by: Dominique Martinet <[email protected]>
  • Loading branch information
@ffilz
Dominique Martinet authored and ffilz committed Oct 5, 2018
1 parent 6d342c3 commit 0a52f7f
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
8 changes: 4 additions & 4 deletions src/FSAL/FSAL_PROXY/fsal_nfsv4_macros.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,9 @@ do { \
op->nfs_argop4_u.opreclaim_complete.rca_one_fs = false; \
} while (0)

#define COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, argarray, cid, seqid, info)\
#define COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, argarray, cid, \
seqid, info, sec_parms4) \
do { \
callback_sec_parms4 csa_sec_parms_val; \
struct channel_attrs4 *fore_attrs; \
struct channel_attrs4 *back_attrs; \
CREATE_SESSION4args *opcreate_session; \
Expand Down Expand Up @@ -99,8 +99,8 @@ do { \
back_attrs->ca_rdma_ird.ca_rdma_ird_val = NULL; \
opcreate_session->csa_cb_program = info->srv_prognum; \
opcreate_session->csa_sec_parms.csa_sec_parms_len = 1; \
csa_sec_parms_val.cb_secflavor = AUTH_NONE; \
opcreate_session->csa_sec_parms.csa_sec_parms_val = &csa_sec_parms_val;\
(sec_parms4)->cb_secflavor = AUTH_NONE; \
opcreate_session->csa_sec_parms.csa_sec_parms_val = (sec_parms4); \
} while (0)

#define COMPOUNDV4_ARG_ADD_OP_PUTROOTFH(opcnt, argarray) \
Expand Down
3 changes: 2 additions & 1 deletion src/FSAL/FSAL_PROXY/handle.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -946,6 +946,7 @@ static int pxy_setsessionid(sessionid4 new_sessionid, uint32_t *lease_time,
sequenceid4 seqid;
CREATE_SESSION4res *s_res;
CREATE_SESSION4resok *res_ok;
callback_sec_parms4 sec_parms4;
uint32_t fore_ca_rdma_ird_val_sink;
uint32_t back_ca_rdma_ird_val_sink;

Expand All @@ -963,7 +964,7 @@ static int pxy_setsessionid(sessionid4 new_sessionid, uint32_t *lease_time,
&back_ca_rdma_ird_val_sink;

COMPOUNDV4_ARG_ADD_OP_CREATE_SESSION(opcnt, arg, cid, seqid,
(&(pxy_exp->info)));
(&(pxy_exp->info)), &sec_parms4);
rc = pxy_compoundv4_execute(__func__, NULL, opcnt, arg, res, pxy_exp);
if (rc != NFS4_OK)
return -1;
Expand Down

0 comments on commit 0a52f7f

Please sign in to comment.