ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_system_core/libsparse
History
Eric Biggers ef4507b6c8 libsparse: fix double free after block splitting 
Due to https://r.android.com/1310496, sparse_file_write() splits all
blocks larger than 64 MiB.  However, the code that splits file-backed
blocks copies the pointer to the filename without duplicating the
underlying memory, causing a double free in backed_block_destroy()
later.  Fix this by using strdup().  Also, as long as that is being
fixed, also check for failure.

Test: SANITIZE_HOST=address mmm external/e2fsprogs
      mkdir mnt
      mkfs.ext4 img 1G
      sudo mount img mnt
      sudo cp /dev/urandom mnt/file
      sudo umount mnt
      ext2simg img simg

Before this fix it gave:

    ==2216498==ERROR: AddressSanitizer: attempting double-free on 0x602000000090 in thread T0:
        #0 0x55a52454c9a2 in free out/stage2/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/out/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7ffa247c82ee in backed_block_destroy(backed_block*) system/core/libsparse/backed_block.cpp:106:5
        #2 0x7ffa247c82ee in backed_block_list_destroy(backed_block_list*) system/core/libsparse/backed_block.cpp:124:7
        #3 0x7ffa247cd055 in sparse_file_destroy system/core/libsparse/sparse.cpp:49:3
        #4 0x55a524587b75 in main external/e2fsprogs/contrib/android/ext2simg.c:239:2

Change-Id: I4607ef5adcf6512645342beaf91aff6033414e54
2023-03-23 20:23:00 +00:00
..
include/sparse Merge changes from topic "sparse-file-read-enum" 2022-01-28 05:28:04 +00:00
.clang-format
Android.bp Fix module-file name collisions 2022-09-20 12:33:47 -07:00
append2simg.cpp Replace exit codes with EXIT_SUCCESS and EXIT_FAILURE. 2022-11-10 21:24:40 +01:00
backed_block.cpp libsparse: fix double free after block splitting 2023-03-23 20:23:00 +00:00
backed_block.h libsparse: Fix overflow of merged sparse chunk length 2020-08-11 08:34:28 +09:00
defs.h
img2simg.cpp Replace exit codes with EXIT_SUCCESS and EXIT_FAILURE. 2022-11-10 21:24:40 +01:00
output_file.cpp libsparse: Fix allocation failures on 32-bit systems. 2023-03-20 15:55:57 -07:00
output_file.h libsparse: Fix overflow of merged sparse chunk length 2020-08-11 08:34:28 +09:00
OWNERS
simg2img.cpp Replace exit codes with EXIT_SUCCESS and EXIT_FAILURE. 2022-11-10 21:24:40 +01:00
simg_dump.py simg_dump.py: fix error for CHUNK_TYPE_FILL 2022-10-03 16:27:49 +08:00
sparse.cpp libsparse: Propagate failures when resparsing files. 2023-03-16 21:50:03 -07:00
sparse_crc32.cpp
sparse_crc32.h
sparse_defs.h
sparse_err.cpp
sparse_file.h
sparse_format.h
sparse_fuzzer.cpp sparse_fuzzer: Bug fix 2022-04-04 14:03:55 +05:30
sparse_read.cpp libsparse: Don't spam errors in sparse_file_import_auto. 2022-06-01 18:36:04 -07:00