* [PATCH] mtd-utils: fixes double free in mkfs.ubifs
@ 2019-01-24 9:06 Yufen Yu
2019-02-11 5:21 ` David Oberhollenzer
0 siblings, 1 reply; 2+ messages in thread
From: Yufen Yu @ 2019-01-24 9:06 UTC (permalink / raw)
To: linux-mtd, richard, david.oberhollenzer
In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().
However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)
*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
union ubifs_key xkey, nkey;
int len, ret;
- nm.name = name;
nm.len = strlen(name);
+ nm.name = xmalloc(nm.len + 1);
+ memcpy(nm.name, name, nm.len + 1);
host_ino->xattr_cnt++;
host_ino->xattr_size += CALC_DENT_SIZE(nm.len);
--
2.13.6
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] mtd-utils: fixes double free in mkfs.ubifs
2019-01-24 9:06 [PATCH] mtd-utils: fixes double free in mkfs.ubifs Yufen Yu
@ 2019-02-11 5:21 ` David Oberhollenzer
0 siblings, 0 replies; 2+ messages in thread
From: David Oberhollenzer @ 2019-02-11 5:21 UTC (permalink / raw)
To: Yufen Yu; +Cc: richard, linux-mtd
Applied to mtd-utils.git master
Sorry for the delay, I was looking into this in a bit more detail and also waiting for
some feedback on a related bug report.
Unfortunately some of the newer code (encryption support) assumes the current behaviour
and allocates the attribute name, so this patch will cause it to leak memory, which is
IMO still less of a problem than mkfs.ubifs failing entirely with a double free error
message, so I applied it for now.
Thanks,
David
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-11 5:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-24 9:06 [PATCH] mtd-utils: fixes double free in mkfs.ubifs Yufen Yu
2019-02-11 5:21 ` David Oberhollenzer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).