Bug 222089

Summary: Double free in fts_close()
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, meyering
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-18 21:40:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Make sure fts_cur is always valid after return from fts_read () none

Description Miloslav Trmač 2007-01-10 07:26:57 UTC 
Description of problem:
fts_read () may free () sp->fts_cur without updating sp->fts_cur to point to
another fts_ent, causing a double free in fts_close ().  This can happen only if
fchdir () or fts_safe_changedir () fails, which is why it usually doesn't happen
in practice.

The attached patch should fix the bug;  the unhandled exits from fts_read ()
were the error exits setting FTS_STOP, except for the first such exit.

Version-Release number of selected component (if applicable):
glibc-2.5.90-14

How reproducible:
Easiest by manually editing the code to fail in fts_safe_changedir () or
the FCHDIR calls.
Comment 1 Miloslav Trmač 2007-01-10 07:26:57 UTC 
Created attachment 145235 [details]
Make sure fts_cur is always valid after return from fts_read ()
Comment 2 Jim Meyering 2007-01-10 10:56:00 UTC 
Thanks for the report and fine patch.
FYI, this is fixed in what I consider to be "upstream": coreutils,
and now gnulib.  I fixed that same bug a year ago today:

    http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commit;h=58e925ce5fa

That one-line addition is a subset of your patch.
FYI, now, the master copy of fts.c is in gnulib.
I agree with the other parts of your change, too.  Those hunks appear
to be solely for improved maintainability -- a very good thing,
in fts.c!  It might be nice to put them in a separate delta.
I'm about to apply them to the gnulib version of fts.c.

For those who don't yet know, I should qualify the "upstream"
comment.  glibc is constrained by its ABI, and that is precisely
the problem, e.g., limiting the length of a full name to fit in
a short.  Also the O(depth^2) cycle-detection behavior that is
apparent for very deep trees.  Both of those are fixed in the gnulib
version, but making the changes in the glibc version would break
ABI compatibility.  Eventually, I will rename symbols in gnulib's
fts.c, and propose the addition of "nfts" to glibc.
Comment 3 Ulrich Drepper 2007-01-10 18:39:00 UTC 
Applied upstream.
Comment 4 Jakub Jelinek 2007-01-18 21:40:17 UTC 
Should be fixed in glibc-2.5.90-15 in rawhide.