[PATCH] mount.cifs: Fix invalid free

Pavel Shilovsky pavel.shilovsky at gmail.com
Fri Oct 4 00:23:07 UTC 2019 

ср, 2 окт. 2019 г. в 13:04, David Mulder via samba-technical
<samba-technical at lists.samba.org>:
>
> Reviewed-by: David Mulder <dmulder at suse.com><mailto:dmulder at suse.com>
>
> On 9/19/19 6:12 AM, Paulo Alcantara (SUSE) wrote:
>
> When attemping to chdir into non-existing directories, mount.cifs
> crashes.
>
> This patch fixes the following ASAN report:
>
> $ ./mount.cifs //localhost/foo /mnt/invalid-dir -o ...
> /mnt/bar -o username=foo,password=foo,vers=1.0
> Couldn't chdir to /mnt/bar: No such file or directory
> =================================================================
> ==11846==ERROR: AddressSanitizer: attempting free on address which was
> not malloc()-ed: 0x7ffd86332e97 in thread T0
>     #0 0x7f0860ca01e7 in
>     __interceptor_free (/usr/lib64/libasan.so.5+0x10a1e7)
>     #1 0x557edece9ccb in
>     acquire_mountpoint (/home/paulo/src/cifs-utils/mount.cifs+0xeccb)
>     #2 0x557edecea63d in
>     main (/home/paulo/src/cifs-utils/mount.cifs+0xf63d)
>     #3 0x7f08609f0bca in __libc_start_main (/lib64/libc.so.6+0x26bca)
>     #4 0x557edece27d9 in
>     _start (/home/paulo/src/cifs-utils/mount.cifs+0x77d9)
>
> Address 0x7ffd86332e97 is located in stack of thread T0 at offset 8951
> in frame
>     #0 0x557edece9ce0 in
>     main (/home/paulo/src/cifs-utils/mount.cifs+0xece0)
>
>   This frame has 2 object(s):
>     [48, 52) 'rc' (line 1959)
>     [64, 72) 'mountpoint' (line 1955) <== Memory access at offset 8951
>     overflows this variable
> HINT: this may be a false positive if your program uses some custom
> stack unwind mechanism, swapcontext or vfork
>       (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: bad-free (/usr/lib64/libasan.so.5+0x10a1e7)
> in __interceptor_free
> ==11846==ABORTING
>
> Fixes: bf7f48f4c7dc ("mount.cifs.c: fix memory leaks in main func")
> Signed-off-by: Paulo Alcantara (SUSE) <pc at cjr.nz><mailto:pc at cjr.nz>
> ---
>  mount.cifs.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/mount.cifs.c b/mount.cifs.c
> index 7748d54aa814..0c38adcd99b1 100644
> --- a/mount.cifs.c
> +++ b/mount.cifs.c
> @@ -1893,7 +1893,7 @@ acquire_mountpoint(char **mountpointp)
>         int rc, dacrc;
>         uid_t realuid, oldfsuid;
>         gid_t oldfsgid;
> -       char *mountpoint;
> +       char *mountpoint = NULL;
>
>         /*
>          * Acquire the necessary privileges to chdir to the mountpoint. If
> @@ -1942,9 +1942,9 @@ restore_privs:
>                 gid_t __attribute__((unused)) gignore = setfsgid(oldfsgid);
>         }
>
> -       if (rc) {
> -               free(*mountpointp);
> -       }
> +       if (rc)
> +               free(mountpoint);
> +
>         return rc;
>  }
>
Merged, thanks.
--
Best regards,
Pavel Shilovsky

More information about the samba-technical mailing list