From 9b8666cb60335a6b611c04ac96369a236ef9774f9345e1417496bf72e99dbfdf Mon Sep 17 00:00:00 2001 From: Bernhard Voelker Date: Sun, 28 Oct 2012 20:37:06 +0000 Subject: [PATCH] - Add upstream patch: * cp could read from freed memory and could even make corrupt copies. This could happen with a very fragmented and sparse input file, on GNU/Linux file systems supporting fiemap extent scanning. This bug also affects mv when it resorts to copying, and install. [bug introduced in coreutils-8.11] OBS-URL: https://build.opensuse.org/package/show/Base:System/coreutils?expand=0&rev=160 --- coreutils-cp-corrupt-fragmented-sparse.patch | 99 ++++++++++++++++++++ coreutils.changes | 11 +++ coreutils.spec | 2 + 3 files changed, 112 insertions(+) create mode 100644 coreutils-cp-corrupt-fragmented-sparse.patch diff --git a/coreutils-cp-corrupt-fragmented-sparse.patch b/coreutils-cp-corrupt-fragmented-sparse.patch new file mode 100644 index 0000000..2eb4d46 --- /dev/null +++ b/coreutils-cp-corrupt-fragmented-sparse.patch @@ -0,0 +1,99 @@ +commit 64aef5fb9afecc023a6e719da161dbbf450908b8 +Author: Jim Meyering +Date: Tue Oct 16 17:43:49 2012 +0200 + + cp: avoid data-corrupting free-memory-read + + NEWS entry: + cp could read from freed memory and could even make corrupt copies. + This could happen with a very fragmented and sparse input file, + on GNU/Linux file systems supporting fiemap extent scanning. + This bug also affects mv when it resorts to copying, and install. + [bug introduced in coreutils-8.11] + + * src/extent-scan.c (extent_scan_read): Reset our last_ei + pointer whenever the parent buffer might have just been freed. + * tests/cp/fiemap-extent-FMR.sh: New test. + * tests/local.mk (all_tests): Add it. + * NEWS (Bug fixes): Mention it. + Reported by Mike Gerth in http://bugs.gnu.org/12656, and with + help from Alan Curry. Bug introduced in commit v8.10-60-g18f5a85. + +Index: src/extent-scan.c +=================================================================== +--- src/extent-scan.c.orig ++++ src/extent-scan.c +@@ -89,7 +89,7 @@ extern bool + extent_scan_read (struct extent_scan *scan) + { + unsigned int si = 0; +- struct extent_info *last_ei IF_LINT ( = scan->ext_info); ++ struct extent_info *last_ei = scan->ext_info; + + while (true) + { +@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *sc + + assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents); + scan->ei_count += fiemap->fm_mapped_extents; +- scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count, +- sizeof (struct extent_info)); ++ { ++ /* last_ei points into a buffer that may be freed via xnrealloc. ++ Record its offset and adjust after allocation. */ ++ size_t prev_idx = last_ei - scan->ext_info; ++ scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count, ++ sizeof (struct extent_info)); ++ last_ei = scan->ext_info + prev_idx; ++ } + + unsigned int i = 0; + for (i = 0; i < fiemap->fm_mapped_extents; i++) +Index: tests/cp/fiemap-FMR +=================================================================== +--- /dev/null ++++ tests/cp/fiemap-FMR +@@ -0,0 +1,31 @@ ++#!/bin/sh ++# Trigger a free-memory read bug in cp from coreutils-[8.11..8.19] ++ ++# Copyright (C) 2012 Free Software Foundation, Inc. ++ ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++. "${srcdir=.}/init.sh"; path_prepend_ ./src ++print_ver_ cp ++ ++require_valgrind_ ++require_perl_ ++: ${PERL=perl} ++ ++$PERL -e 'for (1..600) { sysseek (*STDOUT, 4096, 1)' \ ++ -e '&& syswrite (*STDOUT, "a" x 1024) or die "$!"}' > j || fail=1 ++valgrind --quiet --error-exitcode=3 cp j j2 || fail=1 ++cmp j j2 || fail=1 ++ ++Exit $fail +Index: tests/Makefile.am +=================================================================== +--- tests/Makefile.am.orig ++++ tests/Makefile.am +@@ -342,6 +342,7 @@ TESTS = \ + cp/existing-perm-race \ + cp/fail-perm \ + cp/fiemap-empty \ ++ cp/fiemap-FMR \ + cp/fiemap-perf \ + cp/fiemap-2 \ + cp/file-perm-race \ diff --git a/coreutils.changes b/coreutils.changes index 555ea6a..b7a36c4 100644 --- a/coreutils.changes +++ b/coreutils.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Sun Oct 28 20:31:28 UTC 2012 - mail@bernhard-voelker.de + +- Add upstream patch: + + * cp could read from freed memory and could even make corrupt copies. + This could happen with a very fragmented and sparse input file, + on GNU/Linux file systems supporting fiemap extent scanning. + This bug also affects mv when it resorts to copying, and install. + [bug introduced in coreutils-8.11] + ------------------------------------------------------------------- Fri Sep 21 11:55:12 UTC 2012 - froh@suse.com diff --git a/coreutils.spec b/coreutils.spec index a303659..f79ed03 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -76,6 +76,7 @@ Patch33: coreutils-8.9-singlethreaded-sort.patch Patch34: coreutils-acl-nofollow.patch Patch36: coreutils-basename_documentation.patch Patch37: coreutils-bnc#697897-setsid.patch +Patch38: coreutils-cp-corrupt-fragmented-sparse.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # this will create a cycle, broken up randomly - coreutils is just too core to have other # prerequires @@ -119,6 +120,7 @@ uname unexpand uniq unlink uptime users vdir wc who whoami yes %patch34 %patch36 %patch37 +%patch38 xz -dc %{S:4} >po/de.po