From unknown Sat Aug 16 21:21:44 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#11787: Potential use after free bug in coreutils 8.17
Resent-From: "Xu Zhongxing" <xu_zhong_xing@163.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 26 Jun 2012 05:22:01 +0000
Resent-Message-ID: <handler.11787.B.134068808631461@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 11787
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: 11787@debbugs.gnu.org
X-Debbugs-Original-To: bug-coreutils@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.134068808631461
          (code B ref -1); Tue, 26 Jun 2012 05:22:01 +0000
Received: (at submit) by debbugs.gnu.org; 26 Jun 2012 05:21:26 +0000
Received: from localhost ([127.0.0.1]:58124 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjODO-0008BN-6p
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60560)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjODM-0008BH-Pe
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004uD-NI
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received: from lists.gnu.org ([208.118.235.17]:40283)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004u7-HT
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from eggs.gnu.org ([208.118.235.92]:51130)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9Q-0001yY-V9
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9P-0004tO-61
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:20 -0400
Received: from mproxyjp2.163.com ([176.32.86.149]:55748)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9N-0004eK-Tk
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=Received:Date:From:To:Subject:Content-Type:
	MIME-Version:Message-ID; bh=jnGl5r7pV8duF6sE5hxOTpNf6ywf3LmJSqHx
	8ql6NhY=; b=WL6JAXoPeMV79YppkCm1hxU15R1s43fEyoqa+avYFphzN+uC0vFH
	Apge6va2Z7dpIVPjrsgeApj/m/gMPEyQrn/xhIJmQiA4p7nahIuNUckqPINCaLYF
	VPoBXgus5pMyVKK+gkItABhxk/ijZxBz0i/I/4zs9but1eYrQpQgz2w=
Received: from xu_zhong_xing$163.com ( [124.16.137.1] ) by
	ajax-webmail-wmsvr94 (Coremail) ; Tue, 26 Jun 2012 13:01:13 +0800 (CST)
X-Originating-IP: [124.16.137.1]
Date: Tue, 26 Jun 2012 13:01:13 +0800 (CST)
From: "Xu Zhongxing" <xu_zhong_xing@163.com>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build
	20120507(18390.4657.4663) Copyright (c) 2002-2012 www.mailtech.cn
	163com
Content-Type: multipart/alternative; 
	boundary="----=_Part_306601_1038359904.1340686873148"
MIME-Version: 1.0
Message-ID: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-CM-TRANSID: XsGowEAJZkAaQulPMdxkAA--.3071W
X-CM-SenderInfo: h0xb6xprqjs5xlqjqiywtou0bp/1tbiKQnZYE9ozv4KmQADse
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 208.118.235.17
X-Spam-Score: -6.9 (------)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

------=_Part_306601_1038359904.1340686873148
Content-Type: text/plain; charset=GBK
Content-Transfer-Encoding: 7bit

In Coreutils 8.17, csplit.c, static bool load_buffer (void)

On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().

- Xu Zhongxing


------=_Part_306601_1038359904.1340686873148
Content-Type: text/html; charset=GBK
Content-Transfer-Encoding: 7bit

<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial">In Coreutils 8.17, csplit.c, static bool load_buffer (void)<br><br>On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l-&gt;next;, where buf-&gt;line_start is freed in the first call of free_buffer().<br><br>- Xu Zhongxing<br><br></div>
------=_Part_306601_1038359904.1340686873148--





From unknown Sat Aug 16 21:21:44 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: "Xu Zhongxing" <xu_zhong_xing@163.com>
Subject: bug#11787: closed (Re: bug#11787: Potential use after free bug in
 coreutils 8.17)
Message-ID: <handler.11787.D11787.134070703029322.notifdone@debbugs.gnu.org>
References: <4FE98FD8.4020005@draigBrady.com>
 <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-Gnu-PR-Message: they-closed 11787
X-Gnu-PR-Package: coreutils
Reply-To: 11787@debbugs.gnu.org
Date: Tue, 26 Jun 2012 10:38:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1340707081-29385-1"

This is a multi-part message in MIME format...

------------=_1340707081-29385-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#11787: Potential use after free bug in coreutils 8.17

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 11787@debbugs.gnu.org.

--=20
11787: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D11787
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1340707081-29385-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 11787-done) by debbugs.gnu.org; 26 Jun 2012 10:37:10 +0000
Received: from localhost ([127.0.0.1]:58269 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjT8v-0007cs-Rs
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 06:37:10 -0400
Received: from mx1.redhat.com ([209.132.183.28]:38711)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <P@draigBrady.com>) id 1SjT8s-0007ck-Mz
	for 11787-done@debbugs.gnu.org; Tue, 26 Jun 2012 06:37:08 -0400
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q5QAWxvu032527
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 26 Jun 2012 06:32:59 -0400
Received: from [10.3.113.45] (ovpn-113-45.phx2.redhat.com [10.3.113.45])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q5QAWulv022001
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Tue, 26 Jun 2012 06:32:58 -0400
Message-ID: <4FE98FD8.4020005@draigBrady.com>
Date: Tue, 26 Jun 2012 11:32:56 +0100
From: =?gbk?Q?P=A8=A2draig_Brady?= <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:6.0) Gecko/20110816 Thunderbird/6.0
MIME-Version: 1.0
To: Xu Zhongxing <xu_zhong_xing@163.com>
Subject: Re: bug#11787: Potential use after free bug in coreutils 8.17
References: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
In-Reply-To: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset=gbk
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx1.redhat.com id
	q5QAWxvu032527
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11787-done
Cc: 11787-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>=20
> On line 503 and 511, b is passed to free_buffer() twice. This could lea=
d to a use-after-free bug in free_buffer(): struct line *n =3D l->next;, =
where buf->line_start is freed in the first call of free_buffer().
>=20
> - Xu Zhongxing

I think this will address it.

thanks!
P=A8=A2draig.

commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
Author: P=A8=A2draig Brady <P@draigBrady.com>
Date:   Tue Jun 26 11:13:45 2012 +0100

    maint: avoid a static analysis warning in csplit

    The Canalyze static code analyzer correctly surmised
    that there is a use-after-free bug in free_buffer()
    at the line "struct line *n =3D l->next", if that
    function is called multiple times.

    This is not a runtime issue since a list of lines
    will not be present in the !lines_found case.

    * src/csplit.c (free_buffer): Set list head to NULL so
    that this function can be called multiple times.
    (load_buffer): Remove a redundant call to free_buffer().

    Reported-by: Xu Zhongxing

diff --git a/THANKS.in b/THANKS.in
index 51b2c7d..2bdeab5 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -636,6 +636,7 @@ Wis Macomson                        wis.macomson@inte=
l.com
 Wojciech Purczynski                 cliph@isec.pl
 Wolfram Kleff                       kleff@cs.uni-bonn.de
 Won-kyu Park                        wkpark@chem.skku.ac.kr
+Xu Zhongxing                        xu_zhong_xing@163.com
 Yang Ren                            ryang@redhat.com
 Yanko Kaneti                        yaneti@declera.com
 Yann Dirson                         dirson@debian.org
diff --git a/src/csplit.c b/src/csplit.c
index fb43350..c10562b 100644
--- a/src/csplit.c
+++ b/src/csplit.c
@@ -425,6 +425,7 @@ free_buffer (struct buffer_record *buf)
       free (l);
       l =3D n;
     }
+  buf->line_start =3D NULL;
   free (buf->buffer);
   buf->buffer =3D NULL;
 }
@@ -499,8 +500,6 @@ load_buffer (void)
       b->bytes_used +=3D read_input (p, bytes_avail);

       lines_found =3D record_line_starts (b);
-      if (!lines_found)
-        free_buffer (b);

       if (lines_found || have_read_eof)
         break;
@@ -515,7 +514,10 @@ load_buffer (void)
   if (lines_found)
     save_buffer (b);
   else
-    free (b);
+    {
+      free_buffer (b);
+      free (b);
+    }

   return lines_found !=3D 0;
 }


------------=_1340707081-29385-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 26 Jun 2012 05:21:26 +0000
Received: from localhost ([127.0.0.1]:58124 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjODO-0008BN-6p
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60560)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjODM-0008BH-Pe
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004uD-NI
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received: from lists.gnu.org ([208.118.235.17]:40283)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004u7-HT
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from eggs.gnu.org ([208.118.235.92]:51130)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9Q-0001yY-V9
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9P-0004tO-61
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:20 -0400
Received: from mproxyjp2.163.com ([176.32.86.149]:55748)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9N-0004eK-Tk
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=Received:Date:From:To:Subject:Content-Type:
	MIME-Version:Message-ID; bh=jnGl5r7pV8duF6sE5hxOTpNf6ywf3LmJSqHx
	8ql6NhY=; b=WL6JAXoPeMV79YppkCm1hxU15R1s43fEyoqa+avYFphzN+uC0vFH
	Apge6va2Z7dpIVPjrsgeApj/m/gMPEyQrn/xhIJmQiA4p7nahIuNUckqPINCaLYF
	VPoBXgus5pMyVKK+gkItABhxk/ijZxBz0i/I/4zs9but1eYrQpQgz2w=
Received: from xu_zhong_xing$163.com ( [124.16.137.1] ) by
	ajax-webmail-wmsvr94 (Coremail) ; Tue, 26 Jun 2012 13:01:13 +0800 (CST)
X-Originating-IP: [124.16.137.1]
Date: Tue, 26 Jun 2012 13:01:13 +0800 (CST)
From: "Xu Zhongxing" <xu_zhong_xing@163.com>
To: bug-coreutils@gnu.org
Subject: Potential use after free bug in coreutils 8.17
X-Priority: 3
X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build
	20120507(18390.4657.4663) Copyright (c) 2002-2012 www.mailtech.cn
	163com
Content-Type: multipart/alternative; 
	boundary="----=_Part_306601_1038359904.1340686873148"
MIME-Version: 1.0
Message-ID: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-CM-TRANSID: XsGowEAJZkAaQulPMdxkAA--.3071W
X-CM-SenderInfo: h0xb6xprqjs5xlqjqiywtou0bp/1tbiKQnZYE9ozv4KmQADse
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 208.118.235.17
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

------=_Part_306601_1038359904.1340686873148
Content-Type: text/plain; charset=GBK
Content-Transfer-Encoding: 7bit

In Coreutils 8.17, csplit.c, static bool load_buffer (void)

On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().

- Xu Zhongxing


------=_Part_306601_1038359904.1340686873148
Content-Type: text/html; charset=GBK
Content-Transfer-Encoding: 7bit

<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial">In Coreutils 8.17, csplit.c, static bool load_buffer (void)<br><br>On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l-&gt;next;, where buf-&gt;line_start is freed in the first call of free_buffer().<br><br>- Xu Zhongxing<br><br></div>
------=_Part_306601_1038359904.1340686873148--




------------=_1340707081-29385-1--