mtd-utils: fixes double free in mkfs.ubifs

Message ID	20190124090629.134985-1-yuyufen@huawei.com
State	Accepted
Delegated to:	David Oberhollenzer
Headers	show Return-Path: <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Yufen Yu <yuyufen@huawei.com> To: <linux-mtd@lists.infradead.org>, <richard@nod.at>, <david.oberhollenzer@sigma-star.at> Subject: [PATCH] mtd-utils: fixes double free in mkfs.ubifs Date: Thu, 24 Jan 2019 17:06:29 +0800 Message-ID: <20190124090629.134985-1-yuyufen@huawei.com> MIME-Version: 1.0 summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [45.249.212.32 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org> Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	mtd-utils: fixes double free in mkfs.ubifs \| expand mtd-utils: fixes double free in mkfs.ubifs

Message ID

20190124090629.134985-1-yuyufen@huawei.com

State

Accepted

Delegated to:

David Oberhollenzer

Headers

From: Yufen Yu <yuyufen@huawei.com>
To: <linux-mtd@lists.infradead.org>, <richard@nod.at>,
	<david.oberhollenzer@sigma-star.at>
Subject: [PATCH] mtd-utils: fixes double free in mkfs.ubifs
Date: Thu, 24 Jan 2019 17:06:29 +0800
Message-ID: <20190124090629.134985-1-yuyufen@huawei.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

mtd-utils: fixes double free in mkfs.ubifs | expand

Commit Message

yuyufen Jan. 24, 2019, 9:06 a.m. UTC

In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().

However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)

*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***

Comments

David Oberhollenzer Feb. 11, 2019, 5:21 a.m. UTC | #1

Applied to mtd-utils.git master

Sorry for the delay, I was looking into this in a bit more detail and also waiting for
some feedback on a related bug report.

Unfortunately some of the newer code (encryption support) assumes the current behaviour
and allocates the attribute name, so this patch will cause it to leak memory, which is
IMO still less of a problem than mkfs.ubifs failing entirely with a double free error
message, so I applied it for now.

Thanks,

David

======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 6e11ec8..e0c42f3 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -1163,8 +1163,9 @@  static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st,
 	union ubifs_key xkey, nkey;
 	int len, ret;
 
-	nm.name = name;
 	nm.len = strlen(name);
+	nm.name = xmalloc(nm.len + 1);
+	memcpy(nm.name, name, nm.len + 1);
 
 	host_ino->xattr_cnt++;
 	host_ino->xattr_size += CALC_DENT_SIZE(nm.len);

mtd-utils: fixes double free in mkfs.ubifs

Commit Message

Comments

Patch