summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Cernekee <cernekee@gmail.com>2010-09-22 16:01:59 -0700
committerArtem Bityutskiy <Artem.Bityutskiy@nokia.com>2010-09-23 16:03:27 +0300
commitd8f0ae2f26898f652ad3af4536b5d0e4db37714f (patch)
treee1ab17995c7974b9803ca39973649318f0e1b13b
parent8f1d5a58ec95eaf8187cd033ad2ca18ba3191d65 (diff)
mkfs.ubifs: Fix heap corruption on LEB overrun
If max_leb_cnt (-c option) is set too low, set_lprops() will corrupt the heap and may result in a scary looking crash: $ bin/mkfs.ubifs -U -r romfs -o ubifs.img -m 512 -e 15360 -c 39 Error: max_leb_cnt too low (241 needed) *** glibc detected *** bin/mkfs.ubifs: double free or corruption (!prev): 0x088fe070 *** ======= Backtrace: ========= /lib32/libc.so.6(+0x6c231)[0xf75fb231] /lib32/libc.so.6(+0x6dab8)[0xf75fcab8] /lib32/libc.so.6(cfree+0x6d)[0xf75ffb9d] bin/mkfs.ubifs[0x804e801] bin/mkfs.ubifs[0x804e94b] bin/mkfs.ubifs[0x804e99d] /lib32/libc.so.6(__libc_start_main+0xe6)[0xf75a5bd6] bin/mkfs.ubifs(__fxstat64+0x55)[0x80491e1] ======= Memory map: ======== 08048000-0805d000 r-xp 00000000 08:08 10012045 /work/bin/mkfs.ubifs 0805d000-0805e000 rwxp 00015000 08:08 10012045 /work/bin/mkfs.ubifs 088fe000-08945000 rwxp 00000000 00:00 0 [heap] f73e1000-f73fe000 r-xp 00000000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f73fe000-f73ff000 r-xp 0001c000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f73ff000-f7400000 rwxp 0001d000 08:05 2228842 /usr/lib32/libgcc_s.so.1 f7400000-f7421000 rwxp 00000000 00:00 0 f7421000-f7500000 ---p 00000000 00:00 0 f751c000-f758f000 rwxp 00000000 00:00 0 f758f000-f76e2000 r-xp 00000000 08:05 426288 /lib32/libc-2.11.1.so f76e2000-f76e3000 ---p 00153000 08:05 426288 /lib32/libc-2.11.1.so f76e3000-f76e5000 r-xp 00153000 08:05 426288 /lib32/libc-2.11.1.so f76e5000-f76e6000 rwxp 00155000 08:05 426288 /lib32/libc-2.11.1.so f76e6000-f76e9000 rwxp 00000000 00:00 0 f76e9000-f770d000 r-xp 00000000 08:05 426296 /lib32/libm-2.11.1.so f770d000-f770e000 r-xp 00023000 08:05 426296 /lib32/libm-2.11.1.so f770e000-f770f000 rwxp 00024000 08:05 426296 /lib32/libm-2.11.1.so f772a000-f772c000 rwxp 00000000 00:00 0 f772c000-f772d000 r-xp 00000000 00:00 0 [vdso] f772d000-f7749000 r-xp 00000000 08:05 6062081 /lib32/ld-2.11.1.so f7749000-f774a000 r-xp 0001b000 08:05 6062081 /lib32/ld-2.11.1.so f774a000-f774b000 rwxp 0001c000 08:05 6062081 /lib32/ld-2.11.1.so ffb58000-ffb6d000 rwxp 00000000 00:00 0 [stack] Aborted New code aborts cleanly, and still calculates the number of LEBs required: $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 39 Error: max_leb_cnt too low (241 needed) $ echo $? 255 $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 240 Error: max_leb_cnt too low (241 needed) $ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 241 $ Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
-rw-r--r--mkfs.ubifs/mkfs.ubifs.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/mkfs.ubifs/mkfs.ubifs.c b/mkfs.ubifs/mkfs.ubifs.c
index eeb5e42..ec38f0e 100644
--- a/mkfs.ubifs/mkfs.ubifs.c
+++ b/mkfs.ubifs/mkfs.ubifs.c
@@ -929,9 +929,11 @@ static void set_lprops(int lnum, int offs, int flags)
dirty = c->leb_size - free - ALIGN(offs, 8);
dbg_msg(3, "LEB %d free %d dirty %d flags %d", lnum, free, dirty,
flags);
- c->lpt[i].free = free;
- c->lpt[i].dirty = dirty;
- c->lpt[i].flags = flags;
+ if (i < c->main_lebs) {
+ c->lpt[i].free = free;
+ c->lpt[i].dirty = dirty;
+ c->lpt[i].flags = flags;
+ }
c->lst.total_free += free;
c->lst.total_dirty += dirty;
if (flags & LPROPS_INDEX)
@@ -1943,8 +1945,6 @@ static int finalize_leb_cnt(void)
{
c->leb_cnt = head_lnum;
if (c->leb_cnt > c->max_leb_cnt)
- /* TODO: in this case it segfaults because buffer overruns - we
- * somewhere allocate smaller buffers - fix */
return err_msg("max_leb_cnt too low (%d needed)", c->leb_cnt);
c->main_lebs = c->leb_cnt - c->main_first;
if (verbose) {