File s390-tools-sles15sp3-zdump-fix-segfault-due-to-double-free.patch of Package s390-tools.24639
Subject: [PATCH] [BZ 197814] zdump/dfi: Fix segfault due to double free
From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
Description:   zdump: segfault on zgetdump -i for multi-volume dump
Symptom:       zgetdump --info may lead to the core dump when issued for
               the device node (not a partition) right after installing
               multi-volume dump tool (without taking actual dump).
Problem:       Double free condition occurs on zg_close() call at the end of
               the while loop in dfi_init() in scope of zgetdump processing.
Solution:      Do not call zg_close() at the end of open_dump() function during
               multi-volume dump initialization.
Reproduction:  1) Install multi-volume dump tool
               2) Run zgetdump -i using the device node of one of the dump
               volumes as a parameter without taking actual dump.
Upstream-ID:   c4e4b926b471da9c488a6468e6bd966512d1d14c
Problem-ID:    197814
Upstream-Description:
              zdump/dfi: Fix segfault due to double free
              The problem can happen when dfi_s390mv_init_gen() returns with an error
              code to dfi_init() in dfi.c.
              Double free condition occurs on zg_close() call at the end of the
              while loop in dfi_init() if zg_close() has already been called for the
              same file handle at the end of open_dump() function in scope of
              dfi_s390mv_init_gen() processing.
              This global file handle is not closed during init() call for any
              other dump formats. Since it is not reopened/reused after open_dump() call
              during multi-volume dump initialization, we should not close it at all.
              The problem can be reproduced in the following steps:
              1) Install multi-volume dump tool
                 # zipl -M mvdump.conf
                 Dump target: 2 partitions with a total size of 4732 MB.
                 Warning: All information on the following partitions will be lost!
                    /dev/dasdb2
                    /dev/dasdb3
                 Do you want to continue creating multi-volume dump partitions (y/n)?y
                 Done.
              2) Run zgetdump -i using device (not partition) as a parameter without
                 taking actual dump.
                 # zgetdump -i /dev/dasdb
                 free(): double free detected in tcache 2
                 Aborted (core dumped)
              Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
              Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
---
 zdump/dfi_s390mv.c |    1 -
 1 file changed, 1 deletion(-)
--- a/zdump/dfi_s390mv.c
+++ b/zdump/dfi_s390mv.c
@@ -551,7 +551,6 @@ static int open_dump(void)
 	}
 	if (mv_dumper_read() != 0)
 		return -ENODEV;
-	zg_close(g.fh);
 	return 0;
 }