GNU bug report logs - #11787
Potential use after free bug in coreutils 8.17

Previous Next

Package: coreutils;

Reported by: "Xu Zhongxing" <xu_zhong_xing <at> 163.com>

Date: Tue, 26 Jun 2012 05:22:01 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 11787-done <at> debbugs.gnu.org (full text, mbox):

From: Xu Zhongxing <xu_zhong_xing <at> 163.com>
To: Pádraig Brady <P <at> draigBrady.com>
Cc: 11787-done <at> debbugs.gnu.org
Subject: Re: bug#11787: Potential use after free bug in coreutils 8.17
Date: Tue, 26 Jun 2012 20:33:09 +0800

I would like to mention that this bug (and a previous one) was found by 
a static analysis tool called Canalyze developed by us. See 
http://lcs.ios.ac.cn/~xzx/ <http://lcs.ios.ac.cn/%7Exzx/>

于 2012/6/26 18:32, Pádraig Brady 写道:
> On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
>> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
>>
>> On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().
>>
>> - Xu Zhongxing
> I think this will address it.
>
> thanks!
> Pádraig.
>
> commit 5958bb44c4d7cf3b69bb62955b3ece9d0715eb60
> Author: Pádraig Brady<P <at> draigBrady.com>
> Date:   Tue Jun 26 11:13:45 2012 +0100
>
>      maint: avoid a static analysis warning in csplit
>
>      The Canalyze static code analyzer correctly surmised
>      that there is a use-after-free bug in free_buffer()
>      at the line "struct line *n = l->next", if that
>      function is called multiple times.
>
>      This is not a runtime issue since a list of lines
>      will not be present in the !lines_found case.
>
>      * src/csplit.c (free_buffer): Set list head to NULL so
>      that this function can be called multiple times.
>      (load_buffer): Remove a redundant call to free_buffer().
>
>      Reported-by: Xu Zhongxing
>
> diff --git a/THANKS.in b/THANKS.in
> index 51b2c7d..2bdeab5 100644
> --- a/THANKS.in
> +++ b/THANKS.in
> @@ -636,6 +636,7 @@ Wis Macomson                        wis.macomson <at> intel.com
>   Wojciech Purczynski                 cliph <at> isec.pl
>   Wolfram Kleff                       kleff <at> cs.uni-bonn.de
>   Won-kyu Park                        wkpark <at> chem.skku.ac.kr
> +Xu Zhongxing                        xu_zhong_xing <at> 163.com
>   Yang Ren                            ryang <at> redhat.com
>   Yanko Kaneti                        yaneti <at> declera.com
>   Yann Dirson                         dirson <at> debian.org
> diff --git a/src/csplit.c b/src/csplit.c
> index fb43350..c10562b 100644
> --- a/src/csplit.c
> +++ b/src/csplit.c
> @@ -425,6 +425,7 @@ free_buffer (struct buffer_record *buf)
>         free (l);
>         l = n;
>       }
> +  buf->line_start = NULL;
>     free (buf->buffer);
>     buf->buffer = NULL;
>   }
> @@ -499,8 +500,6 @@ load_buffer (void)
>         b->bytes_used += read_input (p, bytes_avail);
>
>         lines_found = record_line_starts (b);
> -      if (!lines_found)
> -        free_buffer (b);
>
>         if (lines_found || have_read_eof)
>           break;
> @@ -515,7 +514,10 @@ load_buffer (void)
>     if (lines_found)
>       save_buffer (b);
>     else
> -    free (b);
> +    {
> +      free_buffer (b);
> +      free (b);
> +    }
>
>     return lines_found != 0;
>   }
This bug report was last modified 12 years and 331 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.