[coreutils] fix double free abort in tac (#628213)

Ondrej Vasik ovasik at fedoraproject.org
Mon Aug 30 13:29:53 UTC 2010 

commit 2a672b5b694ddc9174f140a713c6da10c6e6e555
Author: Ondřej Vašík <ovasik at redhat.com>
Date:   Mon Aug 30 15:29:35 2010 +0200

    fix double free abort in tac (#628213)

 coreutils-8.5-tac-doublefree.patch |   82 ++++++++++++++++++++++++++++++++++++
 coreutils.spec                     |    8 +++-
 2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/coreutils-8.5-tac-doublefree.patch b/coreutils-8.5-tac-doublefree.patch
new file mode 100644
index 0000000..e8298c1
--- /dev/null
+++ b/coreutils-8.5-tac-doublefree.patch
@@ -0,0 +1,82 @@
+From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering at redhat.com>
+Date: Sat, 28 Aug 2010 17:45:29 +0200
+Subject: [PATCH] tac: avoid double free
+
+* src/tac.c (main): Reading a line longer than 16KiB would cause
+tac to realloc its primary buffer.  Then, just before exit, tac
+would mistakenly free the original (now free'd) buffer.
+This bug was introduced by commit be6c13e7, "maint: always free a
+buffer, to avoid even semblance of a leak".
+* NEWS (Bug fixes): Mention it.
+* tests/misc/tac (double-free): New test, to exercise this.
+Reported by Salvo Tomaselli in <http://bugs.debian.org/594666>.
+---
+ NEWS           |    3 +++
+ src/tac.c      |    6 ++++--
+ tests/misc/tac |    6 ++++++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 85f55a2..f29d311 100644
+--- a/NEWS
++++ b/NEWS
+@@ -11,6 +11,9 @@ GNU coreutils NEWS                                    -*- outline -*-
+   du -H and -L now consistently count pointed-to files instead of
+   symbolic links, and correctly diagnose dangling symlinks.
+
++  tac would perform a double-free when given an input line longer than 16KiB.
++  [bug introduced in coreutils-8.3]
++
+ ** New features
+
+   cp now accepts the --attributes-only option to not copy file data,
+diff --git a/src/tac.c b/src/tac.c
+index cec9736..859e006 100644
+--- a/src/tac.c
++++ b/src/tac.c
+@@ -633,7 +633,6 @@ main (int argc, char **argv)
+   if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size))
+     xalloc_die ();
+   G_buffer = xmalloc (G_buffer_size);
+-  void *buf = G_buffer;
+   if (sentinel_length)
+     {
+       strcpy (G_buffer, separator);
+@@ -666,6 +665,9 @@ main (int argc, char **argv)
+       error (0, errno, "-");
+       ok = false;
+     }
+-  free (buf);
++
++  size_t offset = sentinel_length ? sentinel_length : 1;
++  free (G_buffer - offset);
++
+   exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+diff --git a/tests/misc/tac b/tests/misc/tac
+index 7631049..4130c00 100755
+--- a/tests/misc/tac
++++ b/tests/misc/tac
+@@ -24,6 +24,9 @@ my $prog = 'tac';
+
+ my $bad_dir = 'no/such/dir';
+
++# This must be longer than 16KiB to trigger the double free in coreutils-8.5.
++my $long_line = 'o' x (16 * 1024 + 1);
++
+ my @Tests =
+ (
+   ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}],
+@@ -67,6 +70,9 @@ my @Tests =
+    {ERR_SUBST => "s,`$bad_dir': .*,...,"},
+    {ERR => "$prog: cannot create temporary file in ...\n"},
+    {EXIT => 1}],
++
++  # coreutils-8.5's tac would double-free its primary buffer.
++  ['double-free', {IN=>$long_line}, {OUT=>$long_line}],
+ );
+
+ @Tests = triple_test \@Tests;
+--
+1.7.2.2.510.g7180a
diff --git a/coreutils.spec b/coreutils.spec
index 7c313d5..34ed34d 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 8.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     http://www.gnu.org/software/coreutils/
@@ -18,6 +18,8 @@ Source202:  coreutils-su-l.pamd
 Source203:  coreutils-runuser-l.pamd
 
 # From upstream
+#fix double free error in tac (reported in debian bug #594666)
+Patch1: coreutils-8.5-tac-doublefree.patch
 
 # Our patches
 #general patch to workaround koji build system issues
@@ -121,6 +123,7 @@ Libraries for coreutils package.
 %setup -q
 
 # From upstream
+%patch1 -p1 -b .doublefree
 
 # Our patches
 %patch100 -p1 -b .configure
@@ -339,6 +342,9 @@ fi
 %{_libdir}/coreutils
 
 %changelog
+* Mon Aug 30 2010 Ondrej Vasik <ovasik at redhat.com> - 8.5-5
+- fix double free abort in tac (#628213)
+
 * Thu Jul 22 2010 Ondrej Vasik <ovasik at redhat.com> - 8.5-4
 - Add .ear, .war, .sar , for Java jar-like archives to
   dircolors (#616497)

More information about the scm-commits mailing list