www.infradead.org Git - mtd-utils.git/commit

author	Yufen Yu <yuyufen@huawei.com>
	Thu, 24 Jan 2019 09:06:29 +0000 (17:06 +0800)
committer	David Oberhollenzer <david.oberhollenzer@sigma-star.at>
	Mon, 11 Feb 2019 03:58:33 +0000 (04:58 +0100)
commit	f18e9636a26f39f6595ed365d31c01e876235b63
tree	35aefdce08d3d2733664462a40bab701d20492ea	tree
parent	4a5a10a3dfe13d3f546ee4acbe2a96054ae423f7	commit \| diff

mtd-utils: fixes double free in mkfs.ubifs

In inode_add_xattr(), it malloc a buffer for name, and then passes
the bufffer ptr to add_xattr(). The ptr will be used to create a new
idx_entry in add_to_index().

However, inode_add_xattr() will free the buffer before return.
which can cause double free in write_index(): free(idx_ptr[i]->name)

*** Error in `./mkfs.ubifs': double free or corruption (fasttop): 0x0000000000aae220 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7cbac)[0x7f4881ff5bac]
/lib64/libc.so.6(+0x87a59)[0x7f4882000a59]
/lib64/libc.so.6(cfree+0x16e)[0x7f48820063be]
./mkfs.ubifs[0x402fbf]
/lib64/libc.so.6(__libc_start_main+0xea)[0x7f4881f9988a]
./mkfs.ubifs[0x40356a]

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>