diff options
| author | Richard Yao <[email protected]> | 2022-12-03 15:09:48 -0500 |
|---|---|---|
| committer | Brian Behlendorf <[email protected]> | 2022-12-08 14:15:10 -0800 |
| commit | d30db519af44b905fc52b8c8ba34f6378aa03470 (patch) | |
| tree | 43fc8ad7e7f3649f880920f1ed24d5a179987c3f /cmd | |
| parent | 2709ace096b8448f07537f978863ad061cc3c7da (diff) | |
zdb: zdb_ddt_leak_init() reads uninitialized memory when birth == 0
This was written by Jeff Bonick and was committed to OpenSolaris on
November 1, 2009. It appears that Jeff meant to continue the outer loop
iteration when `ddp->ddp_phys_birth == 0`, but put his check inside the
inner loop. This causes a pointer to uninitialized memory to be passed
to ddt_lookup() inside a VERIFY() statement whenever that condition is
true.
Reported-by: Coverity (CID 1524462)
Reviewed-by: Damian Szuberski <[email protected]>
Reviewed-by: Alexander Motin <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Richard Yao <[email protected]>
Closes #14264
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/zdb/zdb.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c index 5212b23cd..12301ae86 100644 --- a/cmd/zdb/zdb.c +++ b/cmd/zdb/zdb.c @@ -5779,9 +5779,10 @@ zdb_ddt_leak_init(spa_t *spa, zdb_cb_t *zcb) ASSERT(ddt_phys_total_refcnt(&dde) > 1); + if (ddp->ddp_phys_birth == 0) + continue; + for (p = 0; p < DDT_PHYS_TYPES; p++, ddp++) { - if (ddp->ddp_phys_birth == 0) - continue; ddt_bp_create(ddb.ddb_checksum, &dde.dde_key, ddp, &blk); if (p == DDT_PHYS_DITTO) { |