[PATCH] reiserfsprogs: fix use after free with fsck_progress

[PATCH] reiserfsprogs: fix use after free with fsck_progress

[Jeff Mahoney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 fsck_progress uses fs to get the log file handle but fs is freed before
 fsck_progress is caleld when it's about to print the "finished" message.

 When glibc is run with:
 MALLOC_CHECK_=3
 MALLOC_PERTURB_=69

 as is the default on newer versions of openSUSE, it poisons freed memory
 to detect conditions like this. As a result, reiserfsck segfaults on these
 systems.

 This patch fixes fsck to close the file system after printing the completion
 message.

 Edward, I'm working on adding support to check extended attributes, so please
 hold off on an update until I post those patches early next week.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- ---
 fsck/main.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

- --- a/fsck/main.c
+++ b/fsck/main.c
@@ -782,8 +782,8 @@ static int the_end (reiserfs_filsys_t *
     fsck_progress ("Syncing..");
     fs->fs_dirt = 1;
     clean_after_dma_check(fs->fs_dev, &dma_info);
- -    reiserfs_close (fs);
     fsck_progress ("finished\n");
+    reiserfs_close (fs);
 
     return ret;
 }
@@ -935,12 +935,12 @@ static void clean_attributes (reiserfs_f
     do_clean_attributes (fs);
 
     clean_after_dma_check(fs->fs_dev, &dma_info);
- -    reiserfs_close (fs);
- -    close_rollback_file ();
 
     fsck_progress ("###########\n"
 		   "reiserfsck finished at %s"
 		   "###########\n", ctime (&t));
+    reiserfs_close (fs);
+    close_rollback_file ();
 
     exit (EXIT_FIXED);
 
@@ -1171,8 +1171,6 @@ static void check_fs (reiserfs_filsys_t
         
     id_map_free(proper_id_map (fs));
     clean_after_dma_check(fs->fs_dev, &dma_info);
- -    reiserfs_close (fs);
- -    close_rollback_file ();
     
     //clear_relocated_list();    
     
@@ -1181,6 +1179,8 @@ static void check_fs (reiserfs_filsys_t
 		   "reiserfsck finished at %s"
 		   "###########\n", ctime (&t));
 
+    reiserfs_close (fs);
+    close_rollback_file ();
     exit(retval);
 }
 
- -- 
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkvHicIACgkQLPWxlyuTD7JeKQCffKg7XjQMpddTtn9okQj1rntH
OOEAnjRn3heRzXPgckhl7g219rFNoFXp
=J7WL
-----END PGP SIGNATURE-----

Re: [PATCH] reiserfsprogs: fix use after free with fsck_progress

[Jeff Mahoney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2010 05:48 PM, Jeff Mahoney wrote:
>  fsck_progress uses fs to get the log file handle but fs is freed before
>  fsck_progress is caleld when it's about to print the "finished" message.
> 
>  When glibc is run with:
>  MALLOC_CHECK_=3
>  MALLOC_PERTURB_=69
> 
>  as is the default on newer versions of openSUSE, it poisons freed memory
>  to detect conditions like this. As a result, reiserfsck segfaults on these
>  systems.
> 
>  This patch fixes fsck to close the file system after printing the completion
>  message.
> 
>  Edward, I'm working on adding support to check extended attributes, so please
>  hold off on an update until I post those patches early next week.

BTW, until this fix is released in an actual update, it can be worked
around by just un-setting the two variables mentioned above.

- -Jeff

- -- 
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkvRpNkACgkQLPWxlyuTD7IfJACgp/qHg+2Rb+Qo57NwdH4m84Nn
z3IAniFX5QBBe3C/uGoN9B0IFSye5awG
=7Num
-----END PGP SIGNATURE-----