[PATCH] Fix use after free in closedir
Federico Terraneo
fede.tft@hotmail.it
Wed Nov 13 15:51:00 GMT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/13/2013 04:17 PM, Corinna Vinschen wrote:
>
> Thanks! I think you found something very suspicious here. The
> test for fd != -1 is supposed to check... what?
>
> Opendir fails if open on the directory fails, so a valid DIR* also
> has a valid dd_fd value. The only time dd_fd can be -1
> programatically is when closedir has been called and in this case
> DIR* is invalid, too. Or, if two threads call closedir for the same
> DIR* at about the same time, one of them could find that dd_fd is
> -1 and skip the close/free stuff. However, the code
>
> fd = dirp->dd_fd; if (fd != -1) { dirp->dd_fd = -1;
>
> is definitely not thread-safe, and closedir is not *supposed* to
> be reentrant or thread-safe.
Indeed, having a closer look at the opendir logic, I agree that dd_fd
can never be -1, and the the code is definitely not thread safe
anyways unless HAVE_DD_LOCK is defined.
>
> This test doesn't make sense. libc/sys/sparc64/closedir.c and
> libc/sys/sysvi386/closedir.c both don't perform it either.
>
> What I would suggest is to simplify the call to this code instead:
>
> int _DEFUN(closedir, (dirp), register DIR *dirp) { int fd, rc;
>
> #ifdef HAVE_DD_LOCK __lock_acquire_recursive(dirp->dd_lock);
> #endif fd = dirp->dd_fd; rc = close(fd); _cleanupdir(dirp);
> (void)free((void *)dirp->dd_buf); #ifdef HAVE_DD_LOCK
> __lock_release_recursive(dirp->dd_lock);
> __lock_close_recursive(dirp->dd_lock); #endif (void)free((void
> *)dirp); return rc; }
>
> Does that make sense? Did I miss something?
>
Yes, but I would remove useles tests for -1 also in readdir.c and
readdir_r.c, see the attached patch.
2013-11-13 Terraneo Federico <fede.tft@hotmail.it>
* libc/posix/closedir.c: Fix use after free.
Remove useless test dd_fd != -1
* libc/posix/readdir.c: Remove useless test dd_fd == -1
* libc/posix/readdir_r.c: Ditto.
>
> Thanks, Corinna
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSg5/FAAoJECkLFtN5Xr9fv4oH/2uShvGWKYd36t3Oa6qgM6kc
FCAeKulz45oxfPv5BknKK9tzGc0ReEK/n2keSFj0ibFh/MiOBWZIl9XWaItGwIPC
EV2BkYBtybHTQuHpBCvCyM56mA1m/zHExVNy5ypVKCMnG6MnmrlqBIQqKwufs2sU
qrBQ+znCaN54zxLKBd3KVx1KYeWd84v1cSWrvKaYRK0ywa4yWzCE1o9hMJmGDoyz
TkLFj2OUpSgI8z3S1D5HdoT8RjSQpIV+o3GK9VDfZaNrcrQIvCP9AfHr1fUAt13+
rLjMNFEwr79VqjqdDA3e+EzuSpLqctF0pMkvu+D/KIL6sSiaNtXwQeQrC/Xuzz4=
=zW7h
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: closedir.patch
Type: text/x-patch
Size: 1736 bytes
Desc: not available
URL: <http://sourceware.org/pipermail/newlib/attachments/20131113/9b039779/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: closedir.patch.sig
Type: application/octet-stream
Size: 287 bytes
Desc: not available
URL: <http://sourceware.org/pipermail/newlib/attachments/20131113/9b039779/attachment.obj>
More information about the Newlib
mailing list