OpenAFS Master Repository branch, master, updated. openafs-devel-1_9_1-44-g966d5eb

Gerrit Code Review gerrit@openafs.org
Tue, 29 Jun 2021 17:36:06 -0400


The following commit has been merged in the master branch:
commit 966d5eb58f1f4fb333f263f018429c3a782be344
Author: Andrew Deason <adeason@sinenomine.net>
Date:   Thu Jun 17 17:15:13 2021 -0500

    afs: Free pioctlToken in extractPioctlToken
    
    Ever since it was introduced in commit 5ec5ad5 (New GetToken pioctl),
    extractPioctlToken has incorrectly freed pioctlToken by passing
    '&pioctlToken' to xdr_free (instead of 'pioctlToken').
    
    This causes xdr_ktc_tokenUnion to interpret &pioctlToken (which is a
    struct ktc_tokenUnion **) as a struct ktc_tokenUnion *. This doesn't
    cause any corruption or panics, since ktc_tokenUnion doesn't contain
    any freeable fields unless its at_type is 2 (AFSTOKEN_UNION_KAD). So
    as long as the bogus 'at_type' from the misinterpreted pointer is not 2,
    the xdr_free call will just not free anything (and return an error,
    which we ignore).
    
    If the bogus at_type is 2, this would probably cause some memory
    corruption or other nastiness. For this to happen on 32-bit systems,
    the value of the 'pioctlToken' pointer itself would need to be 0x2.
    On 64-bit systems, the top or bottom 32-bits of the pointer would need
    to be 0x2 (depending on endianness). Those situations seem impossible
    or very unlikely on most systems, and have never been seen in the
    wild.
    
    FIXES 135238
    
    Change-Id: Id14571d090570cfacfa920048f41c3b1e434f31c
    Reviewed-on: https://gerrit.openafs.org/14651
    Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
    Tested-by: BuildBot <buildbot@rampaginggeek.com>
    Reviewed-by: Andrew Deason <adeason@sinenomine.net>

 src/afs/afs_tokens.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

-- 
OpenAFS Master Repository