[PATCH] mtd-utils: fixes double free in mkfs.ubifs

* [PATCH] mtd-utils: fixes double free in mkfs.ubifs
@ 2019-01-24  9:06 Yufen Yu
  2019-02-11  5:21 ` David Oberhollenzer
  0 siblings, 1 reply; 2+ messages in thread
From: Yufen Yu @ 2019-01-24  9:06 UTC (permalink / raw)
  To: linux-mtd, richard, david.oberhollenzer

In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().

However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)

*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
 	union ubifs_key xkey, nkey;
 	int len, ret;
 
-	nm.name = name;
 	nm.len = strlen(name);
+	nm.name = xmalloc(nm.len + 1);
+	memcpy(nm.name, name, nm.len + 1);
 
 	host_ino->xattr_cnt++;
 	host_ino->xattr_size += CALC_DENT_SIZE(nm.len);
-- 
2.13.6


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply related	[flat|nested] 2+ messages in thread