ramfs: fix use-after-free when ranaming files

This happens when you move a file to a different directory. Thread 2 (Thread 2): 1 0x000000000032ed3b in halt_no_interrupts () at ../../arch/x64/processor.hh:239 osv::halt () at ../../core/power.cc:28 2 0x000000000020e7fe in abort ( msg=msg@entry=0x580160 "page fault outside application") at ../../runtime.cc:109 3 0x00000000002ecfdc in page_fault (ef=0xffffc0003e362008) at ../../core/mmu.cc:981 4 <signal handler called> 5 merge (b=0xffffc0003b4e8000, a=0xfffffffffffffff8) at ../../core/mempool.cc:421 6 memory::free_page_range_locked (range=range@entry=0xffffc0003b4e8000) at ../../core/mempool.cc:436 7 0x00000000003186d7 in memory::free_page_range ( range=range@entry=0xffffc0003b4e8000) at ../../core/mempool.cc:448 8 0x0000000000319280 in free_large (obj=0xffffc0003b4e9000) at ../../core/mempool.cc:460 9 std_free (object=0xffffc0003b4e9000) at ../../core/mempool.cc:790 10 free (obj=0xffffc0003b4e9000) at ../../core/mempool.cc:892 11 0x0000000000340e52 in ramfs_free_node (np=np@entry=0xffffc0003d250d40) at ../../fs/ramfs/ramfs_vnops.c:78 12 0x0000000000340ed2 in ramfs_remove_node (dnp=0xffffc0003d250a00, np=0xffffc0003d250d40) at ../../fs/ramfs/ramfs_vnops.c:131 13 0x0000000000340ffd in ramfs_rename (dvp1=0xffffc0003fc9a180, vp1=0xffffc0003fc9a100, name1=<optimized out>, dvp2=0xffffc0003fc9a280, vp2=<optimized out>, name2=0x2000001fedf1 "prefix_suffix") at ../../fs/ramfs/ramfs_vnops.c:380 14 0x0000000000340069 in sys_rename (src=<optimized out>, dest=<optimized out>) at ../../fs/vfs/vfs_syscalls.c:671 15 0x000000000033a3b2 in rename (oldpath=<optimized out>, newpath=0xffffc0003e858cc0 "/tmp/t3-26e1b47c/prefix_suffix") at ../../fs/vfs/main.cc:634 Signed-off-by: Tomasz Grabiec <tgrabiec@cloudius-systems.com>

ramfs: fix use-after-free when ranaming files
858a2289 · Tomasz Grabiec · e0b7db23 · 858a2289 · 858a2289
Commit 858a2289 authored 11 years ago by Tomasz Grabiec
--- a/fs/ramfs/ramfs_vnops.c
+++ b/fs/ramfs/ramfs_vnops.c
@@ -375,6 +375,7 @@ ramfs_rename(struct vnode *dvp1, struct vnode *vp1, char *name1,
 			np->rn_buf = old_np->rn_buf;
 			np->rn_size = old_np->rn_size;
 			np->rn_bufsize = old_np->rn_bufsize;
+			old_np->rn_buf = NULL;
 		}
 		/* Remove source file */
 		ramfs_remove_node(dvp1->v_data, vp1->v_data);

--- a/tests/tst-rename.cc
+++ b/tests/tst-rename.cc
@@ -77,3 +77,23 @@ BOOST_AUTO_TEST_CASE(test_renaming_in_the_same_directory)
 		dir / "aaaaaaaaa",
 		dir / "aa");
 }
+
+BOOST_AUTO_TEST_CASE(test_moving_file_to_another_directory)
+{
+	TempDir dir;
+
+	std::string sub("sub");
+	BOOST_REQUIRE(fs::create_directories(dir / sub));
+
+	test_rename(
+		dir / "file",
+		dir / sub / "file");
+
+	test_rename(
+		dir / sub / "file2",
+		dir / "file2");
+
+	test_rename(
+		dir / sub / "a",
+		dir / "aaaa");
+}