Linux-mtd Archive on lore.kernel.org
 help / Atom feed
* [PATCH] mtd-utils: fixes double free in mkfs.ubifs
@ 2019-01-24  9:06 Yufen Yu
  2019-02-11  5:21 ` David Oberhollenzer
  0 siblings, 1 reply; 2+ messages in thread
From: Yufen Yu @ 2019-01-24  9:06 UTC (permalink / raw)
  To: linux-mtd, richard, david.oberhollenzer

In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().

However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)

*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
 	union ubifs_key xkey, nkey;
 	int len, ret;
 
-	nm.name = name;
 	nm.len = strlen(name);
+	nm.name = xmalloc(nm.len + 1);
+	memcpy(nm.name, name, nm.len + 1);
 
 	host_ino->xattr_cnt++;
 	host_ino->xattr_size += CALC_DENT_SIZE(nm.len);
-- 
2.13.6


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] mtd-utils: fixes double free in mkfs.ubifs
  2019-01-24  9:06 [PATCH] mtd-utils: fixes double free in mkfs.ubifs Yufen Yu
@ 2019-02-11  5:21 ` David Oberhollenzer
  0 siblings, 0 replies; 2+ messages in thread
From: David Oberhollenzer @ 2019-02-11  5:21 UTC (permalink / raw)
  To: Yufen Yu; +Cc: richard, linux-mtd

Applied to mtd-utils.git master

Sorry for the delay, I was looking into this in a bit more detail and also waiting for
some feedback on a related bug report.

Unfortunately some of the newer code (encryption support) assumes the current behaviour
and allocates the attribute name, so this patch will cause it to leak memory, which is
IMO still less of a problem than mkfs.ubifs failing entirely with a double free error
message, so I applied it for now.

Thanks,

David

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-24  9:06 [PATCH] mtd-utils: fixes double free in mkfs.ubifs Yufen Yu
2019-02-11  5:21 ` David Oberhollenzer

Linux-mtd Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mtd/0 linux-mtd/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mtd linux-mtd/ https://lore.kernel.org/linux-mtd \
		linux-mtd@lists.infradead.org linux-mtd@archiver.kernel.org
	public-inbox-index linux-mtd


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.infradead.lists.linux-mtd


AGPL code for this site: git clone https://public-inbox.org/ public-inbox