[Pkg-mc-devel] Bug#774135: mc: segfault for SFTP VFS

Thorsten Glaser t.glaser at tarent.de
Tue Feb 17 17:17:49 UTC 2015 

severity 774135 important
thanks

Dixi quod…

> I’ll track this down further.

OK, we have a honest code bug (typescript first, analysis below):

tglase at tglase:~ $ gdb /usr/bin/mc.distrib  ~/core
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnux32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/mc.distrib...done.
BFD: Warning: /home/tglase/core is truncated: expected core file size >= 1744896, found: 1736704.
[New LWP 22766]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".
Core was generated by `/usr/bin/mc -d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0xf77a0513 in sftpfs_cb_open_connection (super=<optimized out>, vpath=<optimized out>,
    vpath_element=<optimized out>) at vfs_subclass.c:114
114             vpath_element->class->verrno = mcerror->code;
(gdb) bt
#0  0xf77a0513 in sftpfs_cb_open_connection (super=<optimized out>, vpath=<optimized out>,
    vpath_element=<optimized out>) at vfs_subclass.c:114
#1  0xf775e839 in vfs_s_get_path (vpath=vpath at entry=0xf97ae880, archive=archive at entry=0xff95bec8,
    flags=flags at entry=0) at direntry.c:1147
#2  0xf775ecfb in vfs_s_inode_from_path (vpath=vpath at entry=0xf97ae880, flags=flags at entry=5)
    at direntry.c:380
#3  0xf775eeb1 in vfs_s_opendir (vpath=<optimized out>) at direntry.c:409
#4  0xf775ef18 in vfs_s_chdir (vpath=<optimized out>) at direntry.c:477
#5  0xf7728ac1 in mc_chdir (vpath=vpath at entry=0xf9797f90) at interface.c:685
#6  0xf7735f53 in _do_panel_cd (panel=<optimized out>, new_dir_vpath=0xf9797f90, cd_type=<optimized out>)
    at panel.c:3179
#7  0xf7736afc in do_panel_cd (panel=<optimized out>, new_dir_vpath=<optimized out>,
    cd_type=<optimized out>) at panel.c:4535
#8  0xf77380bd in do_cd (new_dir_vpath=new_dir_vpath at entry=0xf9797f90, exact=exact at entry=cd_parse_command)
    at panel.c:4934
#9  0xf77181bb in do_cd_command (orig_cmd=<optimized out>) at command.c:445
#10 0xf771865f in enter (lc_cmdline=<optimized out>) at command.c:263
#11 command_callback (w=<optimized out>, sender=<optimized out>, msg=<optimized out>,
    parm=<optimized out>, data=<optimized out>) at command.c:355
#12 0xf7731e2c in send_message (data=0x0, parm=10, msg=MSG_KEY, sender=0x0, w=<optimized out>)
    at ../../lib/widget/widget-common.h:167
#13 midnight_callback (w=<optimized out>, sender=<optimized out>, msg=<optimized out>,
    parm=<optimized out>, data=<optimized out>) at midnight.c:1469
#14 0xf7719eeb in send_message (data=0x0, parm=10, msg=MSG_KEY, sender=0x0, w=0xf9797fc0)
    at ../../lib/widget/widget-common.h:167
#15 dlg_key_event (d_key=10, h=<optimized out>) at dialog.c:504
#16 dlg_process_event (h=<optimized out>, key=10, event=<optimized out>) at dialog.c:1235
#17 0xf771a581 in frontend_dlg_run (h=0xf9797fc0) at dialog.c:569
#18 dlg_run (h=<optimized out>) at dialog.c:1266
#19 0xf7732ccd in create_panels_and_run_mc () at midnight.c:960
#20 do_nc () at midnight.c:1753
#21 0xf770d147 in main (argc=1, argv=0xff95c394) at main.c:414
(gdb) print mcerror
$1 = (GError *) 0x0
(gdb) list sftpfs_cb_open_connection
87       */
88
89      static int
90      sftpfs_cb_open_connection (struct vfs_s_super *super,
91                                 const vfs_path_t * vpath, const vfs_path_element_t * vpath_element)
92      {
93          GError *mcerror = NULL;
94          sftpfs_super_data_t *sftpfs_super_data;
95          int ret_value;
96
(gdb)
97          (void) vpath;
98
99          if (vpath_element->host == NULL || *vpath_element->host == '\0')
100         {
101             vfs_print_message (_("sftp: Invalid host name."));
102             vpath_element->class->verrno = EPERM;
103             return -1;
104         }
105
106         sftpfs_super_data = g_new0 (sftpfs_super_data_t, 1);
(gdb)
107         sftpfs_super_data->original_connection_info = vfs_path_element_clone (vpath_element);
108         super->data = sftpfs_super_data;
109         super->path_element = vfs_path_element_clone (vpath_element);
110
111         sftpfs_fill_connection_data_from_config (super, &mcerror);
112         if (mc_error_message (&mcerror))
113         {
114             vpath_element->class->verrno = mcerror->code;
115             return -1;
116         }


The thing is: mc_error_message free()s mcerror afterwards,
so this is a genuine use-after-free bug.

bye,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"

More information about the Pkg-mc-devel mailing list