From unknown Wed Jun 18 23:08:10 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#11787 <11787@debbugs.gnu.org>
To: bug#11787 <11787@debbugs.gnu.org>
Subject: Status: Potential use after free bug in coreutils 8.17
Reply-To: bug#11787 <11787@debbugs.gnu.org>
Date: Thu, 19 Jun 2025 06:08:10 +0000

retitle 11787 Potential use after free bug in coreutils 8.17
reassign 11787 coreutils
submitter 11787 "Xu Zhongxing" <xu_zhong_xing@163.com>
severity 11787 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 26 01:21:26 2012
Received: (at submit) by debbugs.gnu.org; 26 Jun 2012 05:21:26 +0000
Received: from localhost ([127.0.0.1]:58124 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjODO-0008BN-6p
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60560)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjODM-0008BH-Pe
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:21:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004uD-NI
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:25 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.2
Received: from lists.gnu.org ([208.118.235.17]:40283)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9S-0004u7-HT
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from eggs.gnu.org ([208.118.235.92]:51130)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9Q-0001yY-V9
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9P-0004tO-61
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:20 -0400
Received: from mproxyjp2.163.com ([176.32.86.149]:55748)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjO9N-0004eK-Tk
	for bug-coreutils@gnu.org; Tue, 26 Jun 2012 01:17:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=Received:Date:From:To:Subject:Content-Type:
	MIME-Version:Message-ID; bh=jnGl5r7pV8duF6sE5hxOTpNf6ywf3LmJSqHx
	8ql6NhY=; b=WL6JAXoPeMV79YppkCm1hxU15R1s43fEyoqa+avYFphzN+uC0vFH
	Apge6va2Z7dpIVPjrsgeApj/m/gMPEyQrn/xhIJmQiA4p7nahIuNUckqPINCaLYF
	VPoBXgus5pMyVKK+gkItABhxk/ijZxBz0i/I/4zs9but1eYrQpQgz2w=
Received: from xu_zhong_xing$163.com ( [124.16.137.1] ) by
	ajax-webmail-wmsvr94 (Coremail) ; Tue, 26 Jun 2012 13:01:13 +0800 (CST)
X-Originating-IP: [124.16.137.1]
Date: Tue, 26 Jun 2012 13:01:13 +0800 (CST)
From: "Xu Zhongxing" <xu_zhong_xing@163.com>
To: bug-coreutils@gnu.org
Subject: Potential use after free bug in coreutils 8.17
X-Priority: 3
X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build
	20120507(18390.4657.4663) Copyright (c) 2002-2012 www.mailtech.cn
	163com
Content-Type: multipart/alternative; 
	boundary="----=_Part_306601_1038359904.1340686873148"
MIME-Version: 1.0
Message-ID: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-CM-TRANSID: XsGowEAJZkAaQulPMdxkAA--.3071W
X-CM-SenderInfo: h0xb6xprqjs5xlqjqiywtou0bp/1tbiKQnZYE9ozv4KmQADse
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 208.118.235.17
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

------=_Part_306601_1038359904.1340686873148
Content-Type: text/plain; charset=GBK
Content-Transfer-Encoding: 7bit

In Coreutils 8.17, csplit.c, static bool load_buffer (void)

On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().

- Xu Zhongxing


------=_Part_306601_1038359904.1340686873148
Content-Type: text/html; charset=GBK
Content-Transfer-Encoding: 7bit

<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial">In Coreutils 8.17, csplit.c, static bool load_buffer (void)<br><br>On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l-&gt;next;, where buf-&gt;line_start is freed in the first call of free_buffer().<br><br>- Xu Zhongxing<br><br></div>
------=_Part_306601_1038359904.1340686873148--





From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 26 06:37:10 2012
Received: (at 11787-done) by debbugs.gnu.org; 26 Jun 2012 10:37:10 +0000
Received: from localhost ([127.0.0.1]:58269 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjT8v-0007cs-Rs
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 06:37:10 -0400
Received: from mx1.redhat.com ([209.132.183.28]:38711)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <P@draigBrady.com>) id 1SjT8s-0007ck-Mz
	for 11787-done@debbugs.gnu.org; Tue, 26 Jun 2012 06:37:08 -0400
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q5QAWxvu032527
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 26 Jun 2012 06:32:59 -0400
Received: from [10.3.113.45] (ovpn-113-45.phx2.redhat.com [10.3.113.45])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q5QAWulv022001
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Tue, 26 Jun 2012 06:32:58 -0400
Message-ID: <4FE98FD8.4020005@draigBrady.com>
Date: Tue, 26 Jun 2012 11:32:56 +0100
From: =?gbk?Q?P=A8=A2draig_Brady?= <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:6.0) Gecko/20110816 Thunderbird/6.0
MIME-Version: 1.0
To: Xu Zhongxing <xu_zhong_xing@163.com>
Subject: Re: bug#11787: Potential use after free bug in coreutils 8.17
References: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
In-Reply-To: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset=gbk
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx1.redhat.com id
	q5QAWxvu032527
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11787-done
Cc: 11787-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>=20
> On line 503 and 511, b is passed to free_buffer() twice. This could lea=
d to a use-after-free bug in free_buffer(): struct line *n =3D l->next;, =
where buf->line_start is freed in the first call of free_buffer().
>=20
> - Xu Zhongxing

I think this will address it.

thanks!
P=A8=A2draig.

commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
Author: P=A8=A2draig Brady <P@draigBrady.com>
Date:   Tue Jun 26 11:13:45 2012 +0100

    maint: avoid a static analysis warning in csplit

    The Canalyze static code analyzer correctly surmised
    that there is a use-after-free bug in free_buffer()
    at the line "struct line *n =3D l->next", if that
    function is called multiple times.

    This is not a runtime issue since a list of lines
    will not be present in the !lines_found case.

    * src/csplit.c (free_buffer): Set list head to NULL so
    that this function can be called multiple times.
    (load_buffer): Remove a redundant call to free_buffer().

    Reported-by: Xu Zhongxing

diff --git a/THANKS.in b/THANKS.in
index 51b2c7d..2bdeab5 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -636,6 +636,7 @@ Wis Macomson                        wis.macomson@inte=
l.com
 Wojciech Purczynski                 cliph@isec.pl
 Wolfram Kleff                       kleff@cs.uni-bonn.de
 Won-kyu Park                        wkpark@chem.skku.ac.kr
+Xu Zhongxing                        xu_zhong_xing@163.com
 Yang Ren                            ryang@redhat.com
 Yanko Kaneti                        yaneti@declera.com
 Yann Dirson                         dirson@debian.org
diff --git a/src/csplit.c b/src/csplit.c
index fb43350..c10562b 100644
--- a/src/csplit.c
+++ b/src/csplit.c
@@ -425,6 +425,7 @@ free_buffer (struct buffer_record *buf)
       free (l);
       l =3D n;
     }
+  buf->line_start =3D NULL;
   free (buf->buffer);
   buf->buffer =3D NULL;
 }
@@ -499,8 +500,6 @@ load_buffer (void)
       b->bytes_used +=3D read_input (p, bytes_avail);

       lines_found =3D record_line_starts (b);
-      if (!lines_found)
-        free_buffer (b);

       if (lines_found || have_read_eof)
         break;
@@ -515,7 +514,10 @@ load_buffer (void)
   if (lines_found)
     save_buffer (b);
   else
-    free (b);
+    {
+      free_buffer (b);
+      free (b);
+    }

   return lines_found !=3D 0;
 }




From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 26 08:37:22 2012
Received: (at 11787-done) by debbugs.gnu.org; 26 Jun 2012 12:37:22 +0000
Received: from localhost ([127.0.0.1]:58340 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1SjV1G-0002g4-CW
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 08:37:22 -0400
Received: from m50-132.163.com ([123.125.50.132]:45198)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <xu_zhong_xing@163.com>) id 1SjV1B-0002fp-Dc
	for 11787-done@debbugs.gnu.org; Tue, 26 Jun 2012 08:37:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=Received:Message-ID:Date:From:User-Agent:
	MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:
	Content-Transfer-Encoding; bh=iTdclNJujpe3JJNJCSglNz4M6abmnPdwf/
	QTQIqwoAQ=; b=L8l1u/KWtzxFggyBXkNG2d4IR0uENyeBOKc5e8RFyBY0PjLR9X
	mEhLKrHkihVOW/jIhO6c0yVDx58B2Ba2r2PzF17cunq1U1YM7zxbmyLJxJQ+PYTD
	3SxKE4+pAG/rZWbdSq+K0qkYeb8opr5QCMcLLmMXLn4rTaEg38GAXAwTw=
Received: from [192.168.0.104] (unknown [221.221.24.170])
	by smtp2 (Coremail) with SMTP id DNGowEApI1QErOlPX8SIAw--.124S3;
	Tue, 26 Jun 2012 20:33:09 +0800 (CST)
Message-ID: <4FE9AC05.7080001@163.com>
Date: Tue, 26 Jun 2012 20:33:09 +0800
From: Xu Zhongxing <xu_zhong_xing@163.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: =?UTF-8?B?UMOhZHJhaWcgQnJhZHk=?= <P@draigBrady.com>
Subject: Re: bug#11787: Potential use after free bug in coreutils 8.17
References: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
	<4FE98FD8.4020005@draigBrady.com>
In-Reply-To: <4FE98FD8.4020005@draigBrady.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: DNGowEApI1QErOlPX8SIAw--.124S3
X-Coremail-Antispam: 1Uf129KBjvJXoW7CF4xZrWUZw1xCr4rZF43Wrg_yoW5Jr4rpr
	sIgF4UJr9Ygrn2vFZrAa45Zrnaq39IqF1rCrW5Wa4xAFn8JF1Fgryakr4a9FW5GrWIyF4x
	JF4Y9r9Ygw1UJa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jrSdgUUUUU=
X-CM-SenderInfo: h0xb6xprqjs5xlqjqiywtou0bp/xtbBZhjZYEfowEdHJQABsM
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 11787-done
Cc: 11787-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -1.9 (-)

I would like to mention that this bug (and a previous one) was found by 
a static analysis tool called Canalyze developed by us. See 
http://lcs.ios.ac.cn/~xzx/ <http://lcs.ios.ac.cn/%7Exzx/>

于 2012/6/26 18:32, Pádraig Brady 写道:
> On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
>> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>>
>> On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().
>>
>> - Xu Zhongxing
> I think this will address it.
>
> thanks!
> Pádraig.
>
> commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
> Author: Pádraig Brady<P@draigBrady.com>
> Date:   Tue Jun 26 11:13:45 2012 +0100
>
>      maint: avoid a static analysis warning in csplit
>
>      The Canalyze static code analyzer correctly surmised
>      that there is a use-after-free bug in free_buffer()
>      at the line "struct line *n = l->next", if that
>      function is called multiple times.
>
>      This is not a runtime issue since a list of lines
>      will not be present in the !lines_found case.
>
>      * src/csplit.c (free_buffer): Set list head to NULL so
>      that this function can be called multiple times.
>      (load_buffer): Remove a redundant call to free_buffer().
>
>      Reported-by: Xu Zhongxing
>
> diff --git a/THANKS.in b/THANKS.in
> index 51b2c7d..2bdeab5 100644
> --- a/THANKS.in
> +++ b/THANKS.in
> @@ -636,6 +636,7 @@ Wis Macomson                        wis.macomson@intel.com
>   Wojciech Purczynski                 cliph@isec.pl
>   Wolfram Kleff                       kleff@cs.uni-bonn.de
>   Won-kyu Park                        wkpark@chem.skku.ac.kr
> +Xu Zhongxing                        xu_zhong_xing@163.com
>   Yang Ren                            ryang@redhat.com
>   Yanko Kaneti                        yaneti@declera.com
>   Yann Dirson                         dirson@debian.org
> diff --git a/src/csplit.c b/src/csplit.c
> index fb43350..c10562b 100644
> --- a/src/csplit.c
> +++ b/src/csplit.c
> @@ -425,6 +425,7 @@ free_buffer (struct buffer_record *buf)
>         free (l);
>         l = n;
>       }
> +  buf->line_start = NULL;
>     free (buf->buffer);
>     buf->buffer = NULL;
>   }
> @@ -499,8 +500,6 @@ load_buffer (void)
>         b->bytes_used += read_input (p, bytes_avail);
>
>         lines_found = record_line_starts (b);
> -      if (!lines_found)
> -        free_buffer (b);
>
>         if (lines_found || have_read_eof)
>           break;
> @@ -515,7 +514,10 @@ load_buffer (void)
>     if (lines_found)
>       save_buffer (b);
>     else
> -    free (b);
> +    {
> +      free_buffer (b);
> +      free (b);
> +    }
>
>     return lines_found != 0;
>   }






From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 26 17:13:58 2012
Received: (at 11787-done) by debbugs.gnu.org; 26 Jun 2012 21:13:58 +0000
Received: from localhost ([127.0.0.1]:59099 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Sjd5B-0006nr-JY
	for submit@debbugs.gnu.org; Tue, 26 Jun 2012 17:13:58 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1647)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <P@draigBrady.com>) id 1Sjd59-0006nj-L3
	for 11787-done@debbugs.gnu.org; Tue, 26 Jun 2012 17:13:57 -0400
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q5QL9jPC009884
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 26 Jun 2012 17:09:45 -0400
Received: from [10.3.113.45] (ovpn-113-45.phx2.redhat.com [10.3.113.45])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q5QL9h2J019759
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Tue, 26 Jun 2012 17:09:44 -0400
Message-ID: <4FEA2516.5060301@draigBrady.com>
Date: Tue, 26 Jun 2012 22:09:42 +0100
From: =?UTF-8?B?UMOhZHJhaWcgQnJhZHk=?= <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:6.0) Gecko/20110816 Thunderbird/6.0
MIME-Version: 1.0
To: Xu Zhongxing <xu_zhong_xing@163.com>
Subject: Re: bug#11787: Potential use after free bug in coreutils 8.17
References: <8cb80ed.1c517.138272a323c.Coremail.xu_zhong_xing@163.com>
	<4FE98FD8.4020005@draigBrady.com> <4FE9AC05.7080001@163.com>
In-Reply-To: <4FE9AC05.7080001@163.com>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset=UTF-8
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx1.redhat.com id
	q5QL9jPC009884
X-Spam-Score: -6.9 (------)
X-Debbugs-Envelope-To: 11787-done
Cc: 11787-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.9 (------)

On 06/26/2012 01:33 PM, Xu Zhongxing wrote:
> I would like to mention that this bug (and a previous one) was found by=
 a static analysis tool called Canalyze developed by us.

I guessed that as you can see from the commit message below :)

> See http://lcs.ios.ac.cn/~xzx/

I'll include that URL since you imply it's fairly permanent.

cheers,
P=C3=A1draig.

>=20
> =E4=BA=8E 2012/6/26 18:32, P=C3=A1draig Brady =E5=86=99=E9=81=93:
>> On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
>>> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>>>
>>> On line 503 and 511, b is passed to free_buffer() twice. This could l=
ead to a use-after-free bug in free_buffer(): struct line *n =3D l->next;=
, where buf->line_start is freed in the first call of free_buffer().
>>>
>>> - Xu Zhongxing
>> I think this will address it.
>>
>> thanks!
>> P=C3=A1draig.
>>
>> commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
>> Author: P=C3=A1draig Brady<P@draigBrady.com>
>> Date:   Tue Jun 26 11:13:45 2012 +0100
>>
>>      maint: avoid a static analysis warning in csplit
>>
>>      The Canalyze static code analyzer correctly surmised
>>      that there is a use-after-free bug in free_buffer()
>>      at the line "struct line *n =3D l->next", if that
>>      function is called multiple times.
>>
>>      This is not a runtime issue since a list of lines
>>      will not be present in the !lines_found case.





From unknown Wed Jun 18 23:08:10 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 25 Jul 2012 11:24:02 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator