mtd-utils: fixes double free in mkfs.ubifs

Message ID 20190124090629.134985-1-yuyufen@huawei.com
State New
Delegated to: David Oberhollenzer
Headers show
Series
  • mtd-utils: fixes double free in mkfs.ubifs
Related show

Commit Message

yuyufen Jan. 24, 2019, 9:06 a.m.
In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().

However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)

*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***

Comments

David Oberhollenzer Feb. 11, 2019, 5:21 a.m. | #1
Applied to mtd-utils.git master

Sorry for the delay, I was looking into this in a bit more detail and also waiting for
some feedback on a related bug report.

Unfortunately some of the newer code (encryption support) assumes the current behaviour
and allocates the attribute name, so this patch will cause it to leak memory, which is
IMO still less of a problem than mkfs.ubifs failing entirely with a double free error
message, so I applied it for now.

Thanks,

David

Patch

======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@  static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
 	union ubifs_key xkey, nkey;
 	int len, ret;
 
-	nm.name = name;
 	nm.len = strlen(name);
+	nm.name = xmalloc(nm.len + 1);
+	memcpy(nm.name, name, nm.len + 1);
 
 	host_ino->xattr_cnt++;
 	host_ino->xattr_size += CALC_DENT_SIZE(nm.len);