diff options
author | Kevin Cernekee <cernekee@gmail.com> | 2010-09-22 16:01:59 -0700 |
---|---|---|
committer | Artem Bityutskiy <Artem.Bityutskiy@nokia.com> | 2010-09-23 16:03:27 +0300 |
commit | d8f0ae2f26898f652ad3af4536b5d0e4db37714f (patch) | |
tree | e1ab17995c7974b9803ca39973649318f0e1b13b | |
parent | 8f1d5a58ec95eaf8187cd033ad2ca18ba3191d65 (diff) |
mkfs.ubifs: Fix heap corruption on LEB overrun
If max_leb_cnt (-c option) is set too low, set_lprops() will corrupt
the heap and may result in a scary looking crash:
$ bin/mkfs.ubifs -U -r romfs -o ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
*** glibc detected *** bin/mkfs.ubifs: double free or corruption (!prev): 0x088fe070 ***
======= Backtrace: =========
/lib32/libc.so.6(+0x6c231)[0xf75fb231]
/lib32/libc.so.6(+0x6dab8)[0xf75fcab8]
/lib32/libc.so.6(cfree+0x6d)[0xf75ffb9d]
bin/mkfs.ubifs[0x804e801]
bin/mkfs.ubifs[0x804e94b]
bin/mkfs.ubifs[0x804e99d]
/lib32/libc.so.6(__libc_start_main+0xe6)[0xf75a5bd6]
bin/mkfs.ubifs(__fxstat64+0x55)[0x80491e1]
======= Memory map: ========
08048000-0805d000 r-xp 00000000 08:08 10012045 /work/bin/mkfs.ubifs
0805d000-0805e000 rwxp 00015000 08:08 10012045 /work/bin/mkfs.ubifs
088fe000-08945000 rwxp 00000000 00:00 0 [heap]
f73e1000-f73fe000 r-xp 00000000 08:05 2228842 /usr/lib32/libgcc_s.so.1
f73fe000-f73ff000 r-xp 0001c000 08:05 2228842 /usr/lib32/libgcc_s.so.1
f73ff000-f7400000 rwxp 0001d000 08:05 2228842 /usr/lib32/libgcc_s.so.1
f7400000-f7421000 rwxp 00000000 00:00 0
f7421000-f7500000 ---p 00000000 00:00 0
f751c000-f758f000 rwxp 00000000 00:00 0
f758f000-f76e2000 r-xp 00000000 08:05 426288 /lib32/libc-2.11.1.so
f76e2000-f76e3000 ---p 00153000 08:05 426288 /lib32/libc-2.11.1.so
f76e3000-f76e5000 r-xp 00153000 08:05 426288 /lib32/libc-2.11.1.so
f76e5000-f76e6000 rwxp 00155000 08:05 426288 /lib32/libc-2.11.1.so
f76e6000-f76e9000 rwxp 00000000 00:00 0
f76e9000-f770d000 r-xp 00000000 08:05 426296 /lib32/libm-2.11.1.so
f770d000-f770e000 r-xp 00023000 08:05 426296 /lib32/libm-2.11.1.so
f770e000-f770f000 rwxp 00024000 08:05 426296 /lib32/libm-2.11.1.so
f772a000-f772c000 rwxp 00000000 00:00 0
f772c000-f772d000 r-xp 00000000 00:00 0 [vdso]
f772d000-f7749000 r-xp 00000000 08:05 6062081 /lib32/ld-2.11.1.so
f7749000-f774a000 r-xp 0001b000 08:05 6062081 /lib32/ld-2.11.1.so
f774a000-f774b000 rwxp 0001c000 08:05 6062081 /lib32/ld-2.11.1.so
ffb58000-ffb6d000 rwxp 00000000 00:00 0 [stack]
Aborted
New code aborts cleanly, and still calculates the number of LEBs
required:
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
$ echo $?
255
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 240
Error: max_leb_cnt too low (241 needed)
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 241
$
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
-rw-r--r-- | mkfs.ubifs/mkfs.ubifs.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/mkfs.ubifs/mkfs.ubifs.c b/mkfs.ubifs/mkfs.ubifs.c index eeb5e42..ec38f0e 100644 --- a/mkfs.ubifs/mkfs.ubifs.c +++ b/mkfs.ubifs/mkfs.ubifs.c @@ -929,9 +929,11 @@ static void set_lprops(int lnum, int offs, int flags) dirty = c->leb_size - free - ALIGN(offs, 8); dbg_msg(3, "LEB %d free %d dirty %d flags %d", lnum, free, dirty, flags); - c->lpt[i].free = free; - c->lpt[i].dirty = dirty; - c->lpt[i].flags = flags; + if (i < c->main_lebs) { + c->lpt[i].free = free; + c->lpt[i].dirty = dirty; + c->lpt[i].flags = flags; + } c->lst.total_free += free; c->lst.total_dirty += dirty; if (flags & LPROPS_INDEX) @@ -1943,8 +1945,6 @@ static int finalize_leb_cnt(void) { c->leb_cnt = head_lnum; if (c->leb_cnt > c->max_leb_cnt) - /* TODO: in this case it segfaults because buffer overruns - we - * somewhere allocate smaller buffers - fix */ return err_msg("max_leb_cnt too low (%d needed)", c->leb_cnt); c->main_lebs = c->leb_cnt - c->main_first; if (verbose) { |