[Bug 104391] New: Use-after-free errors in reiserfsprogs (mkreiserfs / reiserfsck)

reiserfs-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [Bug 104391] New: Use-after-free errors in reiserfsprogs (mkreiserfs / reiserfsck)
@ 2015-09-10 13:20 bugzilla-daemon
  2016-03-20 10:00 ` [Bug 104391] " bugzilla-daemon
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon @ 2015-09-10 13:20 UTC (permalink / raw)
  To: reiserfs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=104391

            Bug ID: 104391
           Summary: Use-after-free errors in reiserfsprogs (mkreiserfs /
                    reiserfsck)
           Product: File System
           Version: 2.5
    Kernel Version: 4.2.0
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ReiserFS
          Assignee: reiserfs-devel@vger.kernel.org
          Reporter: hanno@hboeck.de
        Regression: No

The reiserfsprogs have use-after-free errors (even on normal operation).

When I compile reiserfsprogs with address sanitizer (adding
"-fsanitize=address" to CFLAGS/LDFLAGS) and run mkreiserfs I get this:

==31481==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00000cf98
at pc 0x48e705 bp 0x7ffdd4eeeda0 sp 0x7ffdd4eeed90
READ of size 4 at 0x60d00000cf98 thread T0
    #0 0x48e704 in reiserfs_close
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:419
    #1 0x4070a6 in main
/f/reiser/reiserfsprogs-3.6.24/mkreiserfs/mkreiserfs.c:785
    #2 0x7f4a4c899f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #3 0x40b0b1 (/f/reiser/reiserfsprogs-3.6.24/mkreiserfs/mkreiserfs+0x40b0b1)

0x60d00000cf98 is located 40 bytes inside of 144-byte region
[0x60d00000cf70,0x60d00000d000)
freed by thread T0 here:
    #0 0x7f4a4ce7347f in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5747f)
    #1 0x48e50b in reiserfs_free
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:407
    #2 0x48e50b in reiserfs_close
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:418

previously allocated by thread T0 here:
    #0 0x7f4a4ce736f7 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x4c6f7c in mem_alloc /f/reiser/reiserfsprogs-3.6.24/lib/misc.c:110
    #2 0x4c6f7c in getmem /f/reiser/reiserfsprogs-3.6.24/lib/misc.c:97


Same with reiserfsck (on a previously newly created reiserfs image):
==4684==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00000cf98
at pc 0x541855 bp 0x7ffc99c55540 sp 0x7ffc99c55530
READ of size 4 at 0x60d00000cf98 thread T0
    #0 0x541854 in reiserfs_close
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:419
    #1 0x4077c4 in check_fs /f/reiser/reiserfsprogs-3.6.24/fsck/main.c:1156
    #2 0x4077c4 in main /f/reiser/reiserfsprogs-3.6.24/fsck/main.c:1356
    #3 0x7f46ec29df9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x411251 (/f/reiser/reiserfsprogs-3.6.24/fsck/reiserfsck+0x411251)

0x60d00000cf98 is located 40 bytes inside of 144-byte region
[0x60d00000cf70,0x60d00000d000)
freed by thread T0 here:
    #0 0x7f46ec87747f in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5747f)
    #1 0x54165b in reiserfs_free
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:407
    #2 0x54165b in reiserfs_close
/f/reiser/reiserfsprogs-3.6.24/reiserfscore/reiserfslib.c:418

previously allocated by thread T0 here:
    #0 0x7f46ec8776f7 in malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x57a0cc in mem_alloc /f/reiser/reiserfsprogs-3.6.24/lib/misc.c:110
    #2 0x57a0cc in getmem /f/reiser/reiserfsprogs-3.6.24/lib/misc.c:97

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug 104391] Use-after-free errors in reiserfsprogs (mkreiserfs / reiserfsck)
  2015-09-10 13:20 [Bug 104391] New: Use-after-free errors in reiserfsprogs (mkreiserfs / reiserfsck) bugzilla-daemon
@ 2016-03-20 10:00 ` bugzilla-daemon
  0 siblings, 0 replies; 2+ messages in thread
From: bugzilla-daemon @ 2016-03-20 10:00 UTC (permalink / raw)
  To: reiserfs-devel

https://bugzilla.kernel.org/show_bug.cgi?id=104391

Szőgyényi Gábor <szg0000@freemail.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |szg0000@freemail.hu

-- 
You are receiving this mail because:
You are the assignee for the bug.--
To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-03-20 10:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-10 13:20 [Bug 104391] New: Use-after-free errors in reiserfsprogs (mkreiserfs / reiserfsck) bugzilla-daemon
2016-03-20 10:00 ` [Bug 104391] " bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).