From d30db519af44b905fc52b8c8ba34f6378aa03470 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sat, 3 Dec 2022 15:09:48 -0500 Subject: [PATCH] zdb: zdb_ddt_leak_init() reads uninitialized memory when birth == 0 This was written by Jeff Bonick and was committed to OpenSolaris on November 1, 2009. It appears that Jeff meant to continue the outer loop iteration when `ddp->ddp_phys_birth == 0`, but put his check inside the inner loop. This causes a pointer to uninitialized memory to be passed to ddt_lookup() inside a VERIFY() statement whenever that condition is true. Reported-by: Coverity (CID 1524462) Reviewed-by: Damian Szuberski Reviewed-by: Alexander Motin Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #14264 --- cmd/zdb/zdb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c index 5212b23cd7..12301ae86c 100644 --- a/cmd/zdb/zdb.c +++ b/cmd/zdb/zdb.c @@ -5779,9 +5779,10 @@ zdb_ddt_leak_init(spa_t *spa, zdb_cb_t *zcb) ASSERT(ddt_phys_total_refcnt(&dde) > 1); + if (ddp->ddp_phys_birth == 0) + continue; + for (p = 0; p < DDT_PHYS_TYPES; p++, ddp++) { - if (ddp->ddp_phys_birth == 0) - continue; ddt_bp_create(ddb.ddb_checksum, &dde.dde_key, ddp, &blk); if (p == DDT_PHYS_DITTO) {