IBM Support

IV98640: HEAP-USE-AFTER-FREE PENDMSGTAB::RESENDCALLBACKS TSCOMM.C

 

APAR status

  • Closed as program error.

Error description

  • heap-use-after-free PendMsgTab::resendCallbacks tscomm.C

Local fix

  • 



Problem summary


    

  • If tscSendInternal() is called with TscScatteredBuff and a
callback
function, the TscScatteredBuff object may prematurely be
released
if it's a stack variable. This issue happened in the call from
NsdClientDisk::nsdDoIO_WriteAndCheck() -> tscSendVaX() with
DOIO_NSD_ASYNC flag, the TscScatteredBuff object is allocated
in the stack of tscSendVaX(), the internal heap memory for
iovec elements pointed by the member variable scattered_iovecP
is allocated by the constructor, and once tscSendVaX() called
with a callback returns, the destructor will free the heap
memory pointed by scattered_iovecP.

However in the beginning of tscSendInternal, mr->iov has been
set to point to the memory pointed by scattered_iovecP by:

mr->iov = tssbP->getIovP(0);

if MSGFLAG_SCATTERED_SEND flag is set, then mr->iov would be
a dangling pointer after tscSendVaX() returns.  So the
subsequent reference to
mr->iov in PendMsgTab::resendCallbacks():

mrP->iov[0].iov_base = (char *) &mrP->msg_buf.hdr;

is a heap-use-after-free issue.

    



Problem conclusion


    

  • Just use the memory of mrP->iov_local as the iovec array to
save the RPC header and the data in
PendMsgTab::resendCallback423

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV98640
    • 

  • Reported component name
    SPECTRUM SCALE
    • 

  • Reported component ID
    5725Q01AP
    • 

  • Reported release
    423
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-08-01
    • 

  • Closed date
    2017-08-01
    • 

  • Last modified date
    2019-06-28
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
IV94492
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SPECTRUM SCALE
    • 

  • Fixed component ID
    5725Q01AP
    • 



Applicable component levels


    

  • R423  PSY  U885025
       19/06/28  I  1000
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"423","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSFKCN","label":"General Parallel File System"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"423","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 June 2019
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback