From: Brian Foster <bfoster@redhat.com>
To: Zorro Lang <zlang@redhat.com>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH] db/print: bad character cause illegal memory access
Date: Tue, 9 Jan 2018 10:55:37 -0500 [thread overview]
Message-ID: <20180109155536.GA888@bfoster.bfoster> (raw)
In-Reply-To: <20180109062027.4570-1-zlang@redhat.com>
On Tue, Jan 09, 2018 at 02:20:27PM +0800, Zorro Lang wrote:
> xfs_db can print specified field values, likes:
> # xfs_db -c "inode $inum" -c "print core.nblocks" $dev
>
> But when we give it some bad chararcters, the 'print' command will
> crash:
>
> # xfs_db -r -c "inode 67211167" -c "print core.*" /dev/mapper/rhel-root
> bad character in field *
> *** Error in `xfs_db': free(): invalid pointer: 0x00007fa116e937b8 ***
> ...
> (crash messages)
> ...
> # xfs_db -r -c "inode 67211167" -c "print core.\"" /dev/mapper/rhel-root
> missing closing quote
> *** Error in `xfs_db': free(): invalid pointer: 0x00007f6e8e3c37b8 ***
> ...
> (crash messages)
> ...
>
> The reason is xfs_db call ftok_free() to free ftok_t list, but
> flist_split() forgets to set the tail to NULL. That cause ftok_free()
> trys to free illegal memory address.
>
> Signed-off-by: Zorro Lang <zlang@redhat.com>
> ---
> db/flist.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/db/flist.c b/db/flist.c
> index e11acbfc..1a875b95 100644
> --- a/db/flist.c
> +++ b/db/flist.c
> @@ -371,11 +371,14 @@ flist_split(
> v = xmalloc(sizeof(*v));
> v->tok = NULL;
> while (*s) {
> + v = xrealloc(v, (nv + 1) * sizeof(*v));
> /* need to add string handling */
> if (*s == '\"') {
> s++; /* skip first quote */
> if ((a = strrchr(s, '\"')) == NULL) {
> dbprintf(_("missing closing quote %s\n"), s);
> + v[nv].tok = NULL;
> + v[nv].tokty = TT_END;
> ftok_free(v);
> return NULL;
> }
> @@ -393,19 +396,21 @@ flist_split(
> t = puncttypes[a - punctchars];
> } else {
> dbprintf(_("bad character in field %s\n"), s);
> + v[nv].tok = NULL;
> + v[nv].tokty = TT_END;
> ftok_free(v);
> return NULL;
> }
> a = xmalloc(l + 1);
> strncpy(a, s, l);
> a[l] = '\0';
> - v = xrealloc(v, (nv + 2) * sizeof(*v));
> v[nv].tok = a;
> v[nv].tokty = t;
> nv++;
> s += l + tailskip;
> tailskip = 0;
> }
> + v = xrealloc(v, (nv + 1) * sizeof(*v));
> v[nv].tok = NULL;
Could we just move the above line into the loop (right after nv is
bumped) to initialize .tok similar to the initial allocation before the
loop?
Brian
> v[nv].tokty = TT_END;
> return v;
> --
> 2.13.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-01-09 15:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 6:20 [PATCH] db/print: bad character cause illegal memory access Zorro Lang
2018-01-09 15:55 ` Brian Foster [this message]
2018-01-10 7:00 ` Zorro Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180109155536.GA888@bfoster.bfoster \
--to=bfoster@redhat.com \
--cc=linux-xfs@vger.kernel.org \
--cc=zlang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.