From patchwork Wed Sep 22 23:01:59 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Cernekee X-Patchwork-Id: 65474 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id B5947B70DF for ; Thu, 23 Sep 2010 09:11:04 +1000 (EST) Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1OyYQx-00036i-6x; Wed, 22 Sep 2010 23:09:03 +0000 Received: from [69.28.251.93] (helo=b32.net) by bombadil.infradead.org with esmtps (Exim 4.72 #1 (Red Hat Linux)) id 1OyYQt-00036K-TF for linux-mtd@lists.infradead.org; Wed, 22 Sep 2010 23:09:01 +0000 Received: (qmail 30403 invoked from network); 22 Sep 2010 23:08:56 -0000 Received: from unknown (HELO vps-1001064-677.cp.jvds.com) (127.0.0.1) by 127.0.0.1 with (DHE-RSA-AES128-SHA encrypted) SMTP; 22 Sep 2010 23:08:56 -0000 Received: by vps-1001064-677.cp.jvds.com (sSMTP sendmail emulation); Wed, 22 Sep 2010 16:08:56 -0700 From: Kevin Cernekee Date: Wed, 22 Sep 2010 16:01:59 -0700 Subject: [PATCH] mkfs.ubifs: Fix heap corruption on LEB overrun Message-Id: <1fcf6a9591841eba82df96a80da0bdfa@localhost> To: User-Agent: vim 7.1 MIME-Version: 1.0 Content-Disposition: inline X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20100922_190900_199202_2F6DF8D8 X-CRM114-Status: GOOD ( 20.98 ) X-Spam-Score: 2.5 (++) X-Spam-Report: SpamAssassin version 3.3.1 on bombadil.infradead.org summary: Content analysis details: (2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is freemail (cernekee[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list Cc: linux-mtd@lists.infradead.org X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org If max_leb_cnt (-c option) is set too low, set_lprops() will corrupt the heap and may result in a scary looking crash: $ bin/mkfs.ubifs -U -r romfs -o ubifs.img -m 512 -e 15360 -c 39 Error: max_leb_cnt too low (241 needed) *** glibc detected *** bin/mkfs.ubifs: double free or corruption (!prev): 0x088fe070 *** ======= Backtrace: ========= /lib32/libc.so.6(+0x6c231)[0xf75fb231] /lib32/libc.so.6(+0x6dab8)[0xf75fcab8] /lib32/libc.so.6(cfree+0x6d)[0xf75ffb9d] bin/mkfs.ubifs[0x804e801] bin/mkfs.ubifs[0x804e94b] bin/mkfs.ubifs[0x804e99d] /lib32/libc.so.6(__libc_start_main+0xe6)[0xf75a5bd6] bin/mkfs.ubifs(__fxstat64+0x55)[0x80491e1] ======= Memory map: ======== 08048000-0805d000 r-xp 00000000 08:08 10012045 /work/bin/mkfs.ubifs 0805d000-0805e000 rwxp 00015000 08:08 10012045 /work/bin/mkfs.ubifs 088fe000-08945000 rwxp 00000000 00:00 0 [heap] f73e1000-f73fe000 r-xp 00000000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f73fe000-f73ff000 r-xp 0001c000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f73ff000-f7400000 rwxp 0001d000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f7400000-f7421000 rwxp 00000000 00:00 0 f7421000-f7500000 ---p 00000000 00:00 0 f751c000-f758f000 rwxp 00000000 00:00 0 f758f000-f76e2000 r-xp 00000000 08:05 426288 /lib32/libc-2.11.1.so f76e2000-f76e3000 ---p 00153000 08:05 426288 /lib32/libc-2.11.1.so f76e3000-f76e5000 r-xp 00153000 08:05 426288 /lib32/libc-2.11.1.so f76e5000-f76e6000 rwxp 00155000 08:05 426288 /lib32/libc-2.11.1.so f76e6000-f76e9000 rwxp 00000000 00:00 0 f76e9000-f770d000 r-xp 00000000 08:05 426296 /lib32/libm-2.11.1.so f770d000-f770e000 r-xp 00023000 08:05 426296 /lib32/libm-2.11.1.so f770e000-f770f000 rwxp 00024000 08:05 426296 /lib32/libm-2.11.1.so f772a000-f772c000 rwxp 00000000 00:00 0 f772c000-f772d000 r-xp 00000000 00:00 0 [vdso] f772d000-f7749000 r-xp 00000000 08:05 6062081 /lib32/ld-2.11.1.so f7749000-f774a000 r-xp 0001b000 08:05 6062081 /lib32/ld-2.11.1.so f774a000-f774b000 rwxp 0001c000 08:05 6062081 /lib32/ld-2.11.1.so ffb58000-ffb6d000 rwxp 00000000 00:00 0 [stack] Aborted New code aborts cleanly, and still calculates the number of LEBs required: $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 39 Error: max_leb_cnt too low (241 needed) $ echo $? 255 $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 240 Error: max_leb_cnt too low (241 needed) $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 241 $ Signed-off-by: Kevin Cernekee --- mkfs.ubifs/mkfs.ubifs.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) diff --git a/mkfs.ubifs/mkfs.ubifs.c b/mkfs.ubifs/mkfs.ubifs.c index 9f2a226..60fe861 100644 --- a/mkfs.ubifs/mkfs.ubifs.c +++ b/mkfs.ubifs/mkfs.ubifs.c @@ -898,9 +898,11 @@ static void set_lprops(int lnum, int offs, int flags) dirty = c->leb_size - free - ALIGN(offs, 8); dbg_msg(3, "LEB %d free %d dirty %d flags %d", lnum, free, dirty, flags); - c->lpt[i].free = free; - c->lpt[i].dirty = dirty; - c->lpt[i].flags = flags; + if (i < c->main_lebs) { + c->lpt[i].free = free; + c->lpt[i].dirty = dirty; + c->lpt[i].flags = flags; + } c->lst.total_free += free; c->lst.total_dirty += dirty; if (flags & LPROPS_INDEX) @@ -1902,8 +1904,6 @@ static int finalize_leb_cnt(void) { c->leb_cnt = head_lnum; if (c->leb_cnt > c->max_leb_cnt) - /* TODO: in this case it segfaults because buffer overruns - we - * somewhere allocate smaller buffers - fix */ return err_msg("max_leb_cnt too low (%d needed)", c->leb_cnt); c->main_lebs = c->leb_cnt - c->main_first; if (verbose) {