From f18e9636a26f39f6595ed365d31c01e876235b63 Mon Sep 17 00:00:00 2001 From: Yufen Yu Date: Thu, 24 Jan 2019 17:06:29 +0800 Subject: mtd-utils: fixes double free in mkfs.ubifs In inode_add_xattr(), it malloc a buffer for name, and then passes the bufffer ptr to add_xattr(). The ptr will be used to create a new idx_entry in add_to_index(). However, inode_add_xattr() will free the buffer before return. which can cause double free in write_index(): free(idx_ptr[i]->name) *** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac] /lib64/libc.so.6(+0x87a59)[0x7f4882000a59] /lib64/libc.so.6(cfree+0x16e)[0x7f48820063be] ./mkfs.ubifs[0x402fbf] /lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a] ./mkfs.ubifs[0x40356a] Signed-off-by: Yufen Yu Signed-off-by: David Oberhollenzer --- ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c index 6e11ec8..e0c42f3 100644 --- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c +++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c @@ -1163,8 +1163,9 @@ static int add_xattr(struct ubifs_ino_node *host_ino, struct stat *st, union ubifs_key xkey, nkey; int len, ret; - nm.name = name; nm.len = strlen(name); + nm.name = xmalloc(nm.len + 1); + memcpy(nm.name, name, nm.len + 1); host_ino->xattr_cnt++; host_ino->xattr_size += CALC_DENT_SIZE(nm.len); -- cgit v1.2.3