package / rpm

Clone
Source Code
GIT

Blame 0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch

master
  1.   9cd2585c482b1231fc8b9f1139937e2974092dd4
  2.   0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch
Blob History Raw
Bernhard M. Wiedemann 9cd258 
From a35fbd503d944fa1d2a0e893d2ca97f244299b35 Mon Sep 17 00:00:00 2001
Bernhard M. Wiedemann 9cd258 
From: Panu Matilainen <pmatilai@redhat.com>
Bernhard M. Wiedemann 9cd258 
Date: Tue, 14 May 2019 13:55:52 +0300
Bernhard M. Wiedemann 9cd258 
Subject: [PATCH 2/2] Fix use-after-free introduced in
Bernhard M. Wiedemann 9cd258 
 0f21bdd0d7b2c45564ddb5a24bbebd530867bd54
Bernhard M. Wiedemann 9cd258
Bernhard M. Wiedemann 9cd258 
Unlike typical fooFree() functions in rpm, Fclose() doesn't set the
Bernhard M. Wiedemann 9cd258 
pointer to NULL so there's a use-after-free in checking for Ferror()
Bernhard M. Wiedemann 9cd258 
that segfaults and stuff. Delay Fclose() until the end so we actually
Bernhard M. Wiedemann 9cd258 
catch io errors too, that was another thing that went missing in
Bernhard M. Wiedemann 9cd258 
commit 0f21bdd0d7b2c45564ddb5a24bbebd530867bd54 (although it would've
Bernhard M. Wiedemann 9cd258 
probably caused an error via null digest instead)
Bernhard M. Wiedemann 9cd258 
---
Bernhard M. Wiedemann 9cd258 
 rpmio/rpmfileutil.c | 2 +-
Bernhard M. Wiedemann 9cd258 
 1 file changed, 1 insertion(+), 1 deletion(-)
Bernhard M. Wiedemann 9cd258
Bernhard M. Wiedemann 9cd258 
diff --git a/rpmio/rpmfileutil.c b/rpmio/rpmfileutil.c
Bernhard M. Wiedemann 9cd258 
index 4349c64a7..16a954a10 100644
Bernhard M. Wiedemann 9cd258 
--- a/rpmio/rpmfileutil.c
Bernhard M. Wiedemann 9cd258 
+++ b/rpmio/rpmfileutil.c
Bernhard M. Wiedemann 9cd258 
@@ -37,7 +37,6 @@ int rpmDoDigest(int algo, const char * fn,int asAscii,
Bernhard M. Wiedemann 9cd258 
 	while ((rc = Fread(buf, sizeof(*buf), buflen, fd)) > 0)
Bernhard M. Wiedemann 9cd258 
 	    fsize += rc;
Bernhard M. Wiedemann 9cd258 
 	fdFiniDigest(fd, algo, (void **)&dig, &diglen, asAscii);
Bernhard M. Wiedemann 9cd258 
-	Fclose(fd);
Bernhard M. Wiedemann 9cd258 
     }
Bernhard M. Wiedemann 9cd258
Bernhard M. Wiedemann 9cd258 
     if (dig == NULL || Ferror(fd)) {
Bernhard M. Wiedemann 9cd258 
@@ -50,6 +49,7 @@ int rpmDoDigest(int algo, const char * fn,int asAscii,
Bernhard M. Wiedemann 9cd258
Bernhard M. Wiedemann 9cd258 
     dig = _free(dig);
Bernhard M. Wiedemann 9cd258 
     free(buf);
Bernhard M. Wiedemann 9cd258 
+    Fclose(fd);
Bernhard M. Wiedemann 9cd258
Bernhard M. Wiedemann 9cd258 
     return rc;
Bernhard M. Wiedemann 9cd258 
 }
Bernhard M. Wiedemann 9cd258 
--
Bernhard M. Wiedemann 9cd258 
2.20.1
Bernhard M. Wiedemann 9cd258
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.