This is the mail archive of the newlib@sourceware.org mailing list for the newlib project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Fix use after free in closedir


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

closedir() calls _cleanupdir() on a pointer to DIR after a free().
If HAVE_DD_LOCK is defined, it also dereferences the pointer when
calling __lock_release_recursive() and __lock_close_recursive().
This was creating problems in my target.

Moreover, the previous code would not deallocate the struct if
dirp->dd_fd is -1.

Attached is a simple patch to fix the issue.

2013-11-13  Terraneo Federico  <fede.tft@hotmail.it>

	* libc/posix/closedir.c: Fix use after free and
	  memory leak if dirp->dd_fd is -1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSg2D6AAoJECkLFtN5Xr9fp40H/R2T4R3IYV66wqmmM3FskO0U
4iyWdjzPusRh4lGbTwWGuYa5aNbG/9FP+k64/sRSAWnKtvLJNjlUR2QsGIE592Zq
MYHshpcpEL5h6TwkHS5hBkzdQs0MqbnLBZFUHAS9AGa0k6RpW9sGeAHbv0CqYFUe
/ur3a+KoslSMNpmFLEGI+dSU8It5Gm/6SCPaz7DYhjgd4xg2nrI3hbrfCDcAzCY0
yWl8AfTDSfZFrfkHHjCQzmyHaIKYRAQaCwndEJO1ZUR1Hb+vl+ft6fTWtA/ugifj
MOB4+ruHDIaata9p0E4shh9en5cp/WeL0X/ykk1svdOQq4xYVyd9uxQ5eoPXB4Y=
=7xET
-----END PGP SIGNATURE-----
diff -ruN newlib-old/newlib/libc/posix/closedir.c newlib/newlib/libc/posix/closedir.c
--- newlib-old/newlib/libc/posix/closedir.c	2003-06-06 21:57:51.000000000 +0200
+++ newlib/newlib/libc/posix/closedir.c	2013-11-13 09:41:46.776079589 +0100
@@ -63,7 +63,6 @@
 		dirp->dd_fd = -1;
 		dirp->dd_loc = 0;
 		(void)free((void *)dirp->dd_buf);
-		(void)free((void *)dirp);
 		rc = close(fd);
 		_cleanupdir(dirp);
 	}
@@ -71,6 +70,7 @@
 	__lock_release_recursive(dirp->dd_lock);
 	__lock_close_recursive(dirp->dd_lock);
 #endif
+	(void)free((void *)dirp);
 	return rc;
 }
 

Attachment: closedir.patch.sig
Description: Binary data


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]