[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/4] Fix Use-After-Free

To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
From: "Durrant, Paul" <xadimgnik@xxxxxxxxx>
Date: Fri, 11 Feb 2022 19:53:14 +0000
Delivery-date: Fri, 11 Feb 2022 19:53:21 +0000
List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

On 07/02/2022 13:15, Owen Smith wrote:

Stash the underlying buffer pointer before freeing the MDL, so that
MmGetSystemAddressForMdlSafe doesn't attempt to access already-freed
memory.

Signed-off-by: Owen Smith <owen.smith@xxxxxxxxxx>


Eek. Good spot.

Reviewed-by: Paul Durrant <paul@xxxxxxx>

---
  src/xenbus/fdo.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/xenbus/fdo.c b/src/xenbus/fdo.c
index e2b2702..48d381a 100644
--- a/src/xenbus/fdo.c
+++ b/src/xenbus/fdo.c
@@ -5695,9 +5695,10 @@ __FdoFreeBuffer(
Fdo->Mdl = NULL;+ Buffer = MmGetSystemAddressForMdlSafe(Mdl, NormalPagePriority);
+
      ExFreePool(Mdl);
- Buffer = MmGetSystemAddressForMdlSafe(Mdl, NormalPagePriority);
      MmFreeContiguousMemory(Buffer);
  }

References:
- [PATCH 1/4] Fix Use-After-Free
  - From: Owen Smith

Prev by Date: [PATCH 4/4] SDV: RemoveLock rule violations
Next by Date: Re: [PATCH 2/4] SDV: NullCheck rule
Previous by thread: Re: [PATCH 4/4] SDV: RemoveLock rule violations
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.