From: Yufen Yu <yuyufen@huawei.com>
To: <linux-mtd@lists.infradead.org>, <richard@nod.at>,
<david.oberhollenzer@sigma-star.at>
Subject: [PATCH] mtd-utils: fixes double free in mkfs.ubifs
Date: Thu, 24 Jan 2019 17:06:29 +0800 [thread overview]
Message-ID: <20190124090629.134985-1-yuyufen@huawei.com> (raw)
In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().
However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)
*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
union ubifs_key xkey, nkey;
int len, ret;
- nm.name = name;
nm.len = strlen(name);
+ nm.name = xmalloc(nm.len + 1);
+ memcpy(nm.name, name, nm.len + 1);
host_ino->xattr_cnt++;
host_ino->xattr_size += CALC_DENT_SIZE(nm.len);
--
2.13.6
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next reply other threads:[~2019-01-24 9:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 9:06 Yufen Yu [this message]
2019-02-11 5:21 ` [PATCH] mtd-utils: fixes double free in mkfs.ubifs David Oberhollenzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190124090629.134985-1-yuyufen@huawei.com \
--to=yuyufen@huawei.com \
--cc=david.oberhollenzer@sigma-star.at \
--cc=linux-mtd@lists.infradead.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).