Hmm, in usr/src/uts/common/fs/hsfs/hsfs_vfsops.c function hs_mountfs(),
whenever we use one of the first three |goto cleanup|, the local variables
|svp| and |jvp| are uninitialized. That should corrupt the kernel heap
when we kmem_free() with an unitialized stack lock pointer in the
cleanup section ...
struct hs_volume *svp; /* Supplemental VD for ISO-9660:1999 */
struct hs_volume *jvp; /* Joliet VD */
...
/*
* Refuse to go any further if this
* device is being used for swapping
*/
if (IS_SWAPVP(common_specvp(devvp))) {
error = EBUSY;
goto cleanup;
}
vap.va_mask = AT_SIZE;
if ((error = VOP_GETATTR(devvp, &vap, ATTR_COMM, cr, NULL)) != 0) {
cmn_err(CE_NOTE, "Cannot get attributes of the CD-ROM driver");
goto cleanup;
}
/*
* Make sure we have a nonzero size partition.
* The current version of the SD driver will *not* fail the open
* of such a partition so we have to check for it here.
*/
if (vap.va_size == 0) {
error = ENXIO;
goto cleanup;
}
/*
* Init a new hsfs structure.
*/
fsp = kmem_zalloc(sizeof (*fsp), KM_SLEEP);
svp = kmem_zalloc(sizeof (*svp), KM_SLEEP);
jvp = kmem_zalloc(sizeof (*jvp), KM_SLEEP);
...
cleanup:
(void) VOP_CLOSE(devvp, FREAD, 1, (offset_t)0, cr, NULL);
VN_RELE(devvp);
if (fsp)
kmem_free(fsp, sizeof (*fsp));
if (svp)
kmem_free(svp, sizeof (*svp));
if (jvp)
kmem_free(jvp, sizeof (*jvp));
return (error);
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
