From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D307FC433F5 for ; Tue, 2 Nov 2021 07:11:22 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E618360C41 for ; Tue, 2 Nov 2021 07:11:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org E618360C41 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 33A6B82127; Tue, 2 Nov 2021 08:11:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 1325C82127; Tue, 2 Nov 2021 08:11:18 +0100 (CET) Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4828182051 for ; Tue, 2 Nov 2021 08:11:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=miquel.raynal@bootlin.com Received: (Authenticated sender: miquel.raynal@bootlin.com) by relay8-d.mail.gandi.net (Postfix) with ESMTPSA id 8FA4D1BF210; Tue, 2 Nov 2021 07:11:13 +0000 (UTC) Date: Tue, 2 Nov 2021 08:11:12 +0100 From: Miquel Raynal To: Jincheng Wang Cc: Tom Rini , u-boot@lists.denx.de Subject: Re: [PATCH1/1]sqfs: sqfs_tokenize() should fill the tokens list instead of free items Message-ID: <20211102081112.636ff254@xps13> In-Reply-To: References: <20211026192556.GA631424@bill-the-cat> <20211027101709.5b494100@xps13> Organization: Bootlin X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Jincheng, jc.w4ng@gmail.com wrote on Sun, 31 Oct 2021 18:24:47 +0800: > ---------- Forwarded message --------- > =E5=8F=91=E4=BB=B6=E4=BA=BA=EF=BC=9A Jincheng Wang > Date: 2021=E5=B9=B410=E6=9C=8831=E6=97=A5=E5=91=A8=E6=97=A5 =E4=B8=8B=E5= =8D=886:23 > Subject: Re: [PATCH1/1]sqfs: sqfs_tokenize() should fill the tokens list > instead of free items > To: Miquel Raynal >=20 >=20 > Hello, >=20 > Apologize for a late reply ,and I made a mistake in wirting mail. >=20 > Here is the email before I commit the patch. >=20 > Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload") >=20 > On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote: >=20 > > Hello U-Boot lists! > > I had been doing a fuzz testing in U-Boot . > > There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the > > function sqfs_tokenize( ). > > On the line 307, tokens[i] is being freed and the ret is being set =20 > -ENOMEM, > > it will go to the out: label and free tokens[i] again (just like > > CVE-2020-8432, double free in do_rename_gpt_parts() ). > > Here is a sample command cause to crash in sandbox environment: > > host bind 0 test.sqsh > > sqfsls host 0 1//3 =20 >=20 > ------------------------------ >=20 > The vulnerability can be fixed with a new return value and a new label. B= ut > I didn't want to creat these, I chose another way. You need to answer my questions below if you don't want to propose another solution. But creating a new goto label is perhaps the good way to solve this, provided that there is actually a leak (I am waiting for the explanation of how it happens). Cheers, Miqu=C3=A8l >=20 > Regards, > Jincheng >=20 >=20 > Miquel Raynal =E4=BA=8E2021=E5=B9=B410=E6=9C= =8827=E6=97=A5=E5=91=A8=E4=B8=89 =E4=B8=8B=E5=8D=884:17=E5=86=99=E9=81=93= =EF=BC=9A >=20 > > Hello, > > > > trini@konsulko.com wrote on Tue, 26 Oct 2021 15:25:56 -0400: > > =20 > > > On Sat, Oct 16, 2021 at 10:19:48AM +0800, Jincheng Wang wrote: > > > =20 > > > > We can delete two lines of code to avoid double free bug, but still= a =20 > > wild =20 > > > > pointers bug. > > > > > > > > A test for wild pointers: > > > > sqfsls host 0 1//2/3//4/5 > > > > > > > > Fill the tokens list can solve it well. > > > > > > > > > > > > Signed-off-by: Jincheng Wang > > > > --- > > > > fs/squashfs/sqfs.c | 5 +++-- > > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > > > } > > > > > > > > diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c > > > > index e2d91c654c..50d3f8b71e 100644 > > > > --- a/fs/squashfs/sqfs.c > > > > +++ b/fs/squashfs/sqfs.c > > > > @@ -303,8 +303,9 @@ static int sqfs_tokenize(char **tokens, int cou= nt, > > > > const char *str) > > > > aux =3D strtok(!j ? strc : NULL, "/"); > > > > tokens[j] =3D strdup(aux); > > > > if (!tokens[j]) { > > > > - for (i =3D 0; i < j; i++) > > > > - free(tokens[i]); =20 > > > > Where is the double free here? Why do you stop freeing the tokens list? > > =20 > > > > + /* fill tokens list to avoid wild pointers being freed*/ > > > > + for (i =3D j + 1; i < count; i++) > > > > + tokens[i] =3D 0; =20 > > > > This does not feel right. Perhaps it's just me not getting through the > > lack of spacing successfully but this deserves more explanations. > > =20 > > > > ret =3D -ENOMEM; > > > > goto free_strc; =20 > > > > > > Aside from the whitespace having been destroyed, any comments from the > > > maintainers / reviewers? Thanks! > > > =20 > > > > Thanks, > > Miqu=C3=A8l > > =20