[PATCH] mkfs.ubifs: Fix heap corruption on LEB overrun

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Cernekee <cernekee@gmail.com>
To: <dedekind1@gmail.com>
Cc: linux-mtd@lists.infradead.org
Subject: [PATCH] mkfs.ubifs: Fix heap corruption on LEB overrun
Date: Wed, 22 Sep 2010 16:01:59 -0700	[thread overview]
Message-ID: <1fcf6a9591841eba82df96a80da0bdfa@localhost> (raw)

If max_leb_cnt (-c option) is set too low, set_lprops() will corrupt
the heap and may result in a scary looking crash:

$ bin/mkfs.ubifs -U -r romfs -o ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
*** glibc detected *** bin/mkfs.ubifs: double free or corruption (!prev): 0x088fe070 ***
======= Backtrace: =========
/lib32/libc.so.6(+0x6c231)[0xf75fb231]
/lib32/libc.so.6(+0x6dab8)[0xf75fcab8]
/lib32/libc.so.6(cfree+0x6d)[0xf75ffb9d]
bin/mkfs.ubifs[0x804e801]
bin/mkfs.ubifs[0x804e94b]
bin/mkfs.ubifs[0x804e99d]
/lib32/libc.so.6(__libc_start_main+0xe6)[0xf75a5bd6]
bin/mkfs.ubifs(__fxstat64+0x55)[0x80491e1]
======= Memory map: ========
08048000-0805d000 r-xp 00000000 08:08 10012045                           /work/bin/mkfs.ubifs
0805d000-0805e000 rwxp 00015000 08:08 10012045                           /work/bin/mkfs.ubifs
088fe000-08945000 rwxp 00000000 00:00 0                                  [heap]
f73e1000-f73fe000 r-xp 00000000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f73fe000-f73ff000 r-xp 0001c000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f73ff000-f7400000 rwxp 0001d000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f7400000-f7421000 rwxp 00000000 00:00 0
f7421000-f7500000 ---p 00000000 00:00 0
f751c000-f758f000 rwxp 00000000 00:00 0
f758f000-f76e2000 r-xp 00000000 08:05 426288                             /lib32/libc-2.11.1.so
f76e2000-f76e3000 ---p 00153000 08:05 426288                             /lib32/libc-2.11.1.so
f76e3000-f76e5000 r-xp 00153000 08:05 426288                             /lib32/libc-2.11.1.so
f76e5000-f76e6000 rwxp 00155000 08:05 426288                             /lib32/libc-2.11.1.so
f76e6000-f76e9000 rwxp 00000000 00:00 0
f76e9000-f770d000 r-xp 00000000 08:05 426296                             /lib32/libm-2.11.1.so
f770d000-f770e000 r-xp 00023000 08:05 426296                             /lib32/libm-2.11.1.so
f770e000-f770f000 rwxp 00024000 08:05 426296                             /lib32/libm-2.11.1.so
f772a000-f772c000 rwxp 00000000 00:00 0
f772c000-f772d000 r-xp 00000000 00:00 0                                  [vdso]
f772d000-f7749000 r-xp 00000000 08:05 6062081                            /lib32/ld-2.11.1.so
f7749000-f774a000 r-xp 0001b000 08:05 6062081                            /lib32/ld-2.11.1.so
f774a000-f774b000 rwxp 0001c000 08:05 6062081                            /lib32/ld-2.11.1.so
ffb58000-ffb6d000 rwxp 00000000 00:00 0                                  [stack]
Aborted

New code aborts cleanly, and still calculates the number of LEBs
required:

$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
$ echo $?
255
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 240
Error: max_leb_cnt too low (241 needed)
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 241
$

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
 mkfs.ubifs/mkfs.ubifs.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/mkfs.ubifs/mkfs.ubifs.c b/mkfs.ubifs/mkfs.ubifs.c
index 9f2a226..60fe861 100644
--- a/mkfs.ubifs/mkfs.ubifs.c
+++ b/mkfs.ubifs/mkfs.ubifs.c
@@ -898,9 +898,11 @@ static void set_lprops(int lnum, int offs, int flags)
 	dirty = c->leb_size - free - ALIGN(offs, 8);
 	dbg_msg(3, "LEB %d free %d dirty %d flags %d", lnum, free, dirty,
 		flags);
-	c->lpt[i].free = free;
-	c->lpt[i].dirty = dirty;
-	c->lpt[i].flags = flags;
+	if (i < c->main_lebs) {
+		c->lpt[i].free = free;
+		c->lpt[i].dirty = dirty;
+		c->lpt[i].flags = flags;
+	}
 	c->lst.total_free += free;
 	c->lst.total_dirty += dirty;
 	if (flags & LPROPS_INDEX)
@@ -1902,8 +1904,6 @@ static int finalize_leb_cnt(void)
 {
 	c->leb_cnt = head_lnum;
 	if (c->leb_cnt > c->max_leb_cnt)
-		/* TODO: in this case it segfaults because buffer overruns - we
-		 * somewhere allocate smaller buffers - fix */
 		return err_msg("max_leb_cnt too low (%d needed)", c->leb_cnt);
 	c->main_lebs = c->leb_cnt - c->main_first;
 	if (verbose) {
-- 
1.7.0.4

next             reply	other threads:[~2010-09-22 23:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-22 23:01 Kevin Cernekee [this message]
2010-09-23 13:06 ` [PATCH] mkfs.ubifs: Fix heap corruption on LEB overrun Artem Bityutskiy

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9f2a226 dfblob:60fe861 )
 OR (
bs:"[PATCH] mkfs.ubifs: Fix heap corruption on LEB overrun" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1fcf6a9591841eba82df96a80da0bdfa@localhost \
    --to=cernekee@gmail.com \
    --cc=dedekind1@gmail.com \
    --cc=linux-mtd@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.