[PATCH] mount.cifs: fix crash when mount point does not exist

[PATCH] mount.cifs: fix crash when mount point does not exist

[Paulo Alcantara]

@mountpointp is initially set to a statically allocated string in
main(), and if we fail to update it in acquire_mountpoint(), make sure
to set it to NULL and avoid freeing it at mount_exit.

This fixes the following crash

	$ mount.cifs //srv/share /mnt/foo/bar -o ...
	Couldn't chdir to /mnt/foo/bar: No such file or directory
	munmap_chunk(): invalid pointer
	Aborted

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
---
 mount.cifs.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index 7f898bbd215a..84274c98ddf5 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1996,9 +1996,9 @@ acquire_mountpoint(char **mountpointp)
 	 */
 	realuid = getuid();
 	if (realuid == 0) {
-		dacrc = toggle_dac_capability(0, 1);
-		if (dacrc)
-			return dacrc;
+		rc = toggle_dac_capability(0, 1);
+		if (rc)
+			goto out;
 	} else {
 		oldfsuid = setfsuid(realuid);
 		oldfsgid = setfsgid(getgid());
@@ -2019,7 +2019,6 @@ acquire_mountpoint(char **mountpointp)
 		rc = EX_SYSERR;
 	}
 
-	*mountpointp = mountpoint;
 restore_privs:
 	if (realuid == 0) {
 		dacrc = toggle_dac_capability(0, 0);
@@ -2030,9 +2029,13 @@ restore_privs:
 		gid_t __attribute__((unused)) gignore = setfsgid(oldfsgid);
 	}
 
-	if (rc)
+out:
+	if (rc) {
 		free(mountpoint);
+		mountpoint = NULL;
+	}
 
+	*mountpointp = mountpoint;
 	return rc;
 }
 
-- 
2.31.1

Re: [PATCH] mount.cifs: fix crash when mount point does not exist

[Aurélien Aptel]

Paulo Alcantara <pc@cjr.nz> writes:
> @mountpointp is initially set to a statically allocated string in
> main(), and if we fail to update it in acquire_mountpoint(), make sure
> to set it to NULL and avoid freeing it at mount_exit.
>
> This fixes the following crash
>
> 	$ mount.cifs //srv/share /mnt/foo/bar -o ...
> 	Couldn't chdir to /mnt/foo/bar: No such file or directory
> 	munmap_chunk(): invalid pointer
> 	Aborted

LGTM

Reviewed-by: Aurelien Aptel <aaptel@suse.com>

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

Re: [PATCH] mount.cifs: fix crash when mount point does not exist

[Pavel Shilovsky]

пт, 7 мая 2021 г. в 03:42, Aurélien Aptel <aaptel@suse.com>:
>
> Paulo Alcantara <pc@cjr.nz> writes:
> > @mountpointp is initially set to a statically allocated string in
> > main(), and if we fail to update it in acquire_mountpoint(), make sure
> > to set it to NULL and avoid freeing it at mount_exit.
> >
> > This fixes the following crash
> >
> >       $ mount.cifs //srv/share /mnt/foo/bar -o ...
> >       Couldn't chdir to /mnt/foo/bar: No such file or directory
> >       munmap_chunk(): invalid pointer
> >       Aborted
>
> LGTM
>
> Reviewed-by: Aurelien Aptel <aaptel@suse.com>
>
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
>

Merged. Thanks!
--
Best regards,
Pavel Shilovsky