[haiku-commits] Change in haiku[master]: VMAnonymousCache: Fix use after free when freeing partial block.

  • From: Gerrit <review@xxxxxxxxxxxxxxxxxxx>
  • To: waddlesplash <waddlesplash@xxxxxxxxx>, haiku-commits@xxxxxxxxxxxxx
  • Date: Tue, 5 May 2020 19:31:24 +0000

From Michael Lotz <mmlr@xxxxxxxx>:

Michael Lotz has uploaded this change for review. ( 
https://review.haiku-os.org/c/haiku/+/2584 ;)


Change subject: VMAnonymousCache: Fix use after free when freeing partial block.
......................................................................

VMAnonymousCache: Fix use after free when freeing partial block.

When only some initial slots of a block were filled, the block would
become unused early and get freed. The iteration for the remaining slots
would then operate on the stale swapBlock as the pointer was not reset.

As we already know that the remaining slots can't be in use, directly
skip to the next swap block to avoid needless hash lookups.
---
M src/system/kernel/vm/VMAnonymousCache.cpp
1 file changed, 5 insertions(+), 0 deletions(-)



  git pull ssh://git.haiku-os.org:22/haiku refs/changes/84/2584/1

diff --git a/src/system/kernel/vm/VMAnonymousCache.cpp 
b/src/system/kernel/vm/VMAnonymousCache.cpp
index 039bac1..a8a4413 100644
--- a/src/system/kernel/vm/VMAnonymousCache.cpp
+++ b/src/system/kernel/vm/VMAnonymousCache.cpp
@@ -535,6 +535,11 @@
                        sSwapHashTable.RemoveUnchecked(swapBlock);
                        object_cache_free(sSwapBlockCache, swapBlock,
                                CACHE_DONT_WAIT_FOR_MEMORY | 
CACHE_DONT_LOCK_KERNEL_SPACE);
+
+                       // There are no swap pages for possibly remaining 
pages, skip to the
+                       // next block.
+                       pageIndex = ROUNDUP(pageIndex + 1, SWAP_BLOCK_PAGES) - 
1;
+                       swapBlock = NULL;
                }
        }
 }

--
To view, visit https://review.haiku-os.org/c/haiku/+/2584
To unsubscribe, or for help writing mail filters, visit 
https://review.haiku-os.org/settings

Gerrit-Project: haiku
Gerrit-Branch: master
Gerrit-Change-Id: Ib25377beb092aaf3533de1786b5f4c1099464599
Gerrit-Change-Number: 2584
Gerrit-PatchSet: 1
Gerrit-Owner: Michael Lotz <mmlr@xxxxxxxx>
Gerrit-MessageType: newchange

Other related posts:

  • » [haiku-commits] Change in haiku[master]: VMAnonymousCache: Fix use after free when freeing partial block. - Gerrit