[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993373: Use-after-free bug in realpath()



Package: pmount
Version: 0.9.23-6
Tags: patch

Dear Debian maintainers

I stumbled over a use-after-free bug in pmount.  It's in its realpath implementation when dealing with stacked symlinks, i.e. symlinks pointing to symlinks. (Ironically, pmount "switched to a [self-made] implementation of realpath, for security reasons", so that's that).

The bug is in realpath.c lines 144 to 149:
```
// while (symlink) {
// [...]
	if (buf)
		free(buf);             // (1)
	buf = xmalloc(m + n + 1);
	memcpy(buf, link_path, n);
	memcpy(buf + n, path, m + 1);  // (2)
	path = buf;                    // (3)
// [...]
// }
```
This snippet is iterated in a while loop over the stacked symlinks, e.g. twice for a symlink pointing to a symlink pointing to a file. In this case `buf` is freed to early (1) as the memory region is still pointed to by `path` (3) and used afterwards (2).

A simple (but properly bad) fix is to delay the freeing as in the follow up message.  I don't fully understand all the pointer tricker going on in that function, so there might be better solutions.

Upstream of this package seams dead a long time ago and Fedora uses Debian as upstream, so a fix in Debian would at least hit two major Linux distributions and their derivative ecosystems and maybe even others.

Lastly, how to trigger this bug.  Run the test suite `make check` of pmount.  Though you have to initialise the test data first (first follow up commit to this). The test_policy the fails.  On my system the `resolved_path` variable contained garbage at the end (probably copied from the invalid pointer reference) and `readlink()` failed with an error as such a file did not exist.


Reply to: