Bug#993373: Use-after-free bug in realpath()
Package: pmount
Version: 0.9.23-6
Tags: patch
Dear Debian maintainers
I stumbled over a use-after-free bug in pmount. It's in its realpath implementation when dealing with stacked symlinks, i.e. symlinks pointing to symlinks. (Ironically, pmount "switched to a [self-made] implementation of realpath, for security reasons", so that's that).
The bug is in realpath.c lines 144 to 149:
```
// while (symlink) {
// [...]
if (buf)
free(buf); // (1)
buf = xmalloc(m + n + 1);
memcpy(buf, link_path, n);
memcpy(buf + n, path, m + 1); // (2)
path = buf; // (3)
// [...]
// }
```
This snippet is iterated in a while loop over the stacked symlinks, e.g. twice for a symlink pointing to a symlink pointing to a file. In this case `buf` is freed to early (1) as the memory region is still pointed to by `path` (3) and used afterwards (2).
A simple (but properly bad) fix is to delay the freeing as in the follow up message. I don't fully understand all the pointer tricker going on in that function, so there might be better solutions.
Upstream of this package seams dead a long time ago and Fedora uses Debian as upstream, so a fix in Debian would at least hit two major Linux distributions and their derivative ecosystems and maybe even others.
Lastly, how to trigger this bug. Run the test suite `make check` of pmount. Though you have to initialise the test data first (first follow up commit to this). The test_policy the fails. On my system the `resolved_path` variable contained garbage at the end (probably copied from the invalid pointer reference) and `readlink()` failed with an error as such a file did not exist.
Reply to: