]> www.infradead.org Git - mtd-utils.git/commit
projects / mtd-utils.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 8f1d5a5) | patch
mkfs.ubifs: Fix heap corruption on LEB overrun
authorKevin Cernekee <cernekee@gmail.com>
Wed, 22 Sep 2010 23:01:59 +0000 (16:01 -0700)
committerArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
Thu, 23 Sep 2010 13:03:27 +0000 (16:03 +0300)
commitd8f0ae2f26898f652ad3af4536b5d0e4db37714f
treee1ab17995c7974b9803ca39973649318f0e1b13btree
parent8f1d5a58ec95eaf8187cd033ad2ca18ba3191d65commit | diff
mkfs.ubifs: Fix heap corruption on LEB overrun

If max_leb_cnt (-c option) is set too low, set_lprops() will corrupt
the heap and may result in a scary looking crash:

$ bin/mkfs.ubifs -U -r romfs -o ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
*** glibc detected *** bin/mkfs.ubifs: double free or corruption (!prev): 0x088fe070 ***
======= Backtrace: =========
/lib32/libc.so.6(+0x6c231)[0xf75fb231]
/lib32/libc.so.6(+0x6dab8)[0xf75fcab8]
/lib32/libc.so.6(cfree+0x6d)[0xf75ffb9d]
bin/mkfs.ubifs[0x804e801]
bin/mkfs.ubifs[0x804e94b]
bin/mkfs.ubifs[0x804e99d]
/lib32/libc.so.6(__libc_start_main+0xe6)[0xf75a5bd6]
bin/mkfs.ubifs(__fxstat64+0x55)[0x80491e1]
======= Memory map: ========
08048000-0805d000 r-xp 00000000 08:08 10012045                           /work/bin/mkfs.ubifs
0805d000-0805e000 rwxp 00015000 08:08 10012045                           /work/bin/mkfs.ubifs
088fe000-08945000 rwxp 00000000 00:00 0                                  [heap]
f73e1000-f73fe000 r-xp 00000000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f73fe000-f73ff000 r-xp 0001c000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f73ff000-f7400000 rwxp 0001d000 08:05 2228842                            /usr/lib32/libgcc_s.so.1
f7400000-f7421000 rwxp 00000000 00:00 0
f7421000-f7500000 ---p 00000000 00:00 0
f751c000-f758f000 rwxp 00000000 00:00 0
f758f000-f76e2000 r-xp 00000000 08:05 426288                             /lib32/libc-2.11.1.so
f76e2000-f76e3000 ---p 00153000 08:05 426288                             /lib32/libc-2.11.1.so
f76e3000-f76e5000 r-xp 00153000 08:05 426288                             /lib32/libc-2.11.1.so
f76e5000-f76e6000 rwxp 00155000 08:05 426288                             /lib32/libc-2.11.1.so
f76e6000-f76e9000 rwxp 00000000 00:00 0
f76e9000-f770d000 r-xp 00000000 08:05 426296                             /lib32/libm-2.11.1.so
f770d000-f770e000 r-xp 00023000 08:05 426296                             /lib32/libm-2.11.1.so
f770e000-f770f000 rwxp 00024000 08:05 426296                             /lib32/libm-2.11.1.so
f772a000-f772c000 rwxp 00000000 00:00 0
f772c000-f772d000 r-xp 00000000 00:00 0                                  [vdso]
f772d000-f7749000 r-xp 00000000 08:05 6062081                            /lib32/ld-2.11.1.so
f7749000-f774a000 r-xp 0001b000 08:05 6062081                            /lib32/ld-2.11.1.so
f774a000-f774b000 rwxp 0001c000 08:05 6062081                            /lib32/ld-2.11.1.so
ffb58000-ffb6d000 rwxp 00000000 00:00 0                                  [stack]
Aborted

New code aborts cleanly, and still calculates the number of LEBs
required:

$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 39
Error: max_leb_cnt too low (241 needed)
$ echo $?
255
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 240
Error: max_leb_cnt too low (241 needed)
$ bin/mkfs.ubifs -U -r romfs -o tmp/ubifs.img -m 512 -e 15360 -c 241
$

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
mkfs.ubifs/mkfs.ubifs.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.