From: Brian Foster <bfoster@redhat.com>
To: Zorro Lang <zlang@redhat.com>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH] db/print: bad character cause illegal memory access
Date: Tue, 9 Jan 2018 10:55:37 -0500 [thread overview]
Message-ID: <20180109155536.GA888@bfoster.bfoster> (raw)
In-Reply-To: <20180109062027.4570-1-zlang@redhat.com>
On Tue, Jan 09, 2018 at 02:20:27PM +0800, Zorro Lang wrote:
> xfs_db can print specified field values, likes:
> # xfs_db -c "inode $inum" -c "print core.nblocks" $dev
>
> But when we give it some bad chararcters, the 'print' command will
> crash:
>
> # xfs_db -r -c "inode 67211167" -c "print core.*" /dev/mapper/rhel-root
> bad character in field *
> *** Error in `xfs_db': free(): invalid pointer: 0x00007fa116e937b8 ***
> ...
> (crash messages)
> ...
> # xfs_db -r -c "inode 67211167" -c "print core.\"" /dev/mapper/rhel-root
> missing closing quote
> *** Error in `xfs_db': free(): invalid pointer: 0x00007f6e8e3c37b8 ***
> ...
> (crash messages)
> ...
>
> The reason is xfs_db call ftok_free() to free ftok_t list, but
> flist_split() forgets to set the tail to NULL. That cause ftok_free()
> trys to free illegal memory address.
>
> Signed-off-by: Zorro Lang <zlang@redhat.com>
> ---
> db/flist.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/db/flist.c b/db/flist.c
> index e11acbfc..1a875b95 100644
> --- a/db/flist.c
> +++ b/db/flist.c
> @@ -371,11 +371,14 @@ flist_split(
> v = xmalloc(sizeof(*v));
> v->tok = NULL;
> while (*s) {
> + v = xrealloc(v, (nv + 1) * sizeof(*v));
> /* need to add string handling */
> if (*s == '\"') {
> s++; /* skip first quote */
> if ((a = strrchr(s, '\"')) == NULL) {
> dbprintf(_("missing closing quote %s\n"), s);
> + v[nv].tok = NULL;
> + v[nv].tokty = TT_END;
> ftok_free(v);
> return NULL;
> }
> @@ -393,19 +396,21 @@ flist_split(
> t = puncttypes[a - punctchars];
> } else {
> dbprintf(_("bad character in field %s\n"), s);
> + v[nv].tok = NULL;
> + v[nv].tokty = TT_END;
> ftok_free(v);
> return NULL;
> }
> a = xmalloc(l + 1);
> strncpy(a, s, l);
> a[l] = '\0';
> - v = xrealloc(v, (nv + 2) * sizeof(*v));
> v[nv].tok = a;
> v[nv].tokty = t;
> nv++;
> s += l + tailskip;
> tailskip = 0;
> }
> + v = xrealloc(v, (nv + 1) * sizeof(*v));
> v[nv].tok = NULL;
Could we just move the above line into the loop (right after nv is
bumped) to initialize .tok similar to the initial allocation before the
loop?
Brian
> v[nv].tokty = TT_END;
> return v;
> --
> 2.13.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-01-09 15:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 6:20 [PATCH] db/print: bad character cause illegal memory access Zorro Lang
2018-01-09 15:55 ` Brian Foster [this message]
2018-01-10 7:00 ` Zorro Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180109155536.GA888@bfoster.bfoster \
--to=bfoster@redhat.com \
--cc=linux-xfs@vger.kernel.org \
--cc=zlang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox