Summary: | net/netatalk3 Use after free in get_tm_used() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jose Quinteiro <freebsd> | ||||||
Component: | Individual Port(s) | Assignee: | Joe Marcus Clarke <marcus> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | freebsd | ||||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(marcus) |
||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Created attachment 219762 [details]
Proposed fix
A commit references this bug: Author: marcus Date: Sun Nov 22 22:08:39 UTC 2020 New revision: 556076 URL: https://svnweb.freebsd.org/changeset/ports/556076 Log: Fix two memory corruption crashes. * Use-after-free in afpd's Time Machine Code [1] * Memory overrun in extended attributes [2] PR: 251203 [1] 244191 [2] Submitted by: Jose Quinteiro <freebsd@quinteiro.org> Changes: head/net/netatalk3/Makefile head/net/netatalk3/files/patch-etc_afpd_volume.c head/net/netatalk3/files/patch-libatalk_vfs_extattr.c Thanks so much for these fixes, Jose! Committed! |
Created attachment 219761 [details] Clang address sanitizer report If get_tm_used encounters a directory with a name ending in "sparsebunlde", and the logged-in user does not have execute permission on that directory, we destroy the infoplist bstring we created, and move on to the next entry. Unfortunately, we do not set infoplist to NULL, and trying to bdestroy infoplist at cleanup time causes an attempted read of bstring->slen in a region that was freed. Found with Clang's address sanitizer.