SHA256
1
0
forked from pool/coreutils

- Add upstream patch:

* cp could read from freed memory and could even make corrupt copies.
    This could happen with a very fragmented and sparse input file,
    on GNU/Linux file systems supporting fiemap extent scanning.
    This bug also affects mv when it resorts to copying, and install.
    [bug introduced in coreutils-8.11]

OBS-URL: https://build.opensuse.org/package/show/Base:System/coreutils?expand=0&rev=160
This commit is contained in:
Bernhard Voelker 2012-10-28 20:37:06 +00:00 committed by Git OBS Bridge
parent 7778de0576
commit 9b8666cb60
3 changed files with 112 additions and 0 deletions

View File

@ -0,0 +1,99 @@
commit 64aef5fb9afecc023a6e719da161dbbf450908b8
Author: Jim Meyering <jim@meyering.net>
Date: Tue Oct 16 17:43:49 2012 +0200
cp: avoid data-corrupting free-memory-read
NEWS entry:
cp could read from freed memory and could even make corrupt copies.
This could happen with a very fragmented and sparse input file,
on GNU/Linux file systems supporting fiemap extent scanning.
This bug also affects mv when it resorts to copying, and install.
[bug introduced in coreutils-8.11]
* src/extent-scan.c (extent_scan_read): Reset our last_ei
pointer whenever the parent buffer might have just been freed.
* tests/cp/fiemap-extent-FMR.sh: New test.
* tests/local.mk (all_tests): Add it.
* NEWS (Bug fixes): Mention it.
Reported by Mike Gerth in http://bugs.gnu.org/12656, and with
help from Alan Curry. Bug introduced in commit v8.10-60-g18f5a85.
Index: src/extent-scan.c
===================================================================
--- src/extent-scan.c.orig
+++ src/extent-scan.c
@@ -89,7 +89,7 @@ extern bool
extent_scan_read (struct extent_scan *scan)
{
unsigned int si = 0;
- struct extent_info *last_ei IF_LINT ( = scan->ext_info);
+ struct extent_info *last_ei = scan->ext_info;
while (true)
{
@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *sc
assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents);
scan->ei_count += fiemap->fm_mapped_extents;
- scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
- sizeof (struct extent_info));
+ {
+ /* last_ei points into a buffer that may be freed via xnrealloc.
+ Record its offset and adjust after allocation. */
+ size_t prev_idx = last_ei - scan->ext_info;
+ scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
+ sizeof (struct extent_info));
+ last_ei = scan->ext_info + prev_idx;
+ }
unsigned int i = 0;
for (i = 0; i < fiemap->fm_mapped_extents; i++)
Index: tests/cp/fiemap-FMR
===================================================================
--- /dev/null
+++ tests/cp/fiemap-FMR
@@ -0,0 +1,31 @@
+#!/bin/sh
+# Trigger a free-memory read bug in cp from coreutils-[8.11..8.19]
+
+# Copyright (C) 2012 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ./src
+print_ver_ cp
+
+require_valgrind_
+require_perl_
+: ${PERL=perl}
+
+$PERL -e 'for (1..600) { sysseek (*STDOUT, 4096, 1)' \
+ -e '&& syswrite (*STDOUT, "a" x 1024) or die "$!"}' > j || fail=1
+valgrind --quiet --error-exitcode=3 cp j j2 || fail=1
+cmp j j2 || fail=1
+
+Exit $fail
Index: tests/Makefile.am
===================================================================
--- tests/Makefile.am.orig
+++ tests/Makefile.am
@@ -342,6 +342,7 @@ TESTS = \
cp/existing-perm-race \
cp/fail-perm \
cp/fiemap-empty \
+ cp/fiemap-FMR \
cp/fiemap-perf \
cp/fiemap-2 \
cp/file-perm-race \

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Sun Oct 28 20:31:28 UTC 2012 - mail@bernhard-voelker.de
- Add upstream patch:
* cp could read from freed memory and could even make corrupt copies.
This could happen with a very fragmented and sparse input file,
on GNU/Linux file systems supporting fiemap extent scanning.
This bug also affects mv when it resorts to copying, and install.
[bug introduced in coreutils-8.11]
-------------------------------------------------------------------
Fri Sep 21 11:55:12 UTC 2012 - froh@suse.com

View File

@ -76,6 +76,7 @@ Patch33: coreutils-8.9-singlethreaded-sort.patch
Patch34: coreutils-acl-nofollow.patch
Patch36: coreutils-basename_documentation.patch
Patch37: coreutils-bnc#697897-setsid.patch
Patch38: coreutils-cp-corrupt-fragmented-sparse.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# this will create a cycle, broken up randomly - coreutils is just too core to have other
# prerequires
@ -119,6 +120,7 @@ uname unexpand uniq unlink uptime users vdir wc who whoami yes
%patch34
%patch36
%patch37
%patch38
xz -dc %{S:4} >po/de.po