[U-Boot] [PATCH] fs: ext4: fix crash on ext4ls

Tom Rini trini at konsulko.com
Wed May 9 12:03:11 UTC 2018 

On Wed, May 09, 2018 at 12:57:35PM +0300, Eugen Hristev wrote:
> Found a crash while issuing ext4ls with a non-existent directory.
> Crash test:
> 
> => ext4ls mmc 0 1
> ** Can not find directory. **
> data abort
> pc : [<3fd7c2ec>]          lr : [<3fd93ed8>]
> reloc pc : [<26f142ec>]    lr : [<26f2bed8>]
> sp : 3f963338  ip : 3fdc3dc4     fp : 3fd6b370
> r10: 00000004  r9 : 3f967ec0     r8 : 3f96db68
> r7 : 3fdc99b4  r6 : 00000000     r5 : 3f96dc88  r4 : 3fdcbc8c
> r3 : fffffffa  r2 : 00000000     r1 : 3f96e0bc  r0 : 00000002
> Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
> Resetting CPU ...
> 
> resetting ...
> 
> Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig)
> 
> Looks like crash is introduced by commit:
> "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> 
> Issue is that dirnode is not initialized, and then freed if the call
> to ext4_ls fails. ext4_ls will not change the value of dirnode in this case
> thus we have a crash with data abort.
> 
> I added initialization and a check for dirname being NULL.
> 
> Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> Cc: Stefan BrĂ¼ns <stefan.bruens at rwth-aachen.de>
> Cc: Tom Rini <trini at konsulko.com>
> Signed-off-by: Eugen Hristev <eugen.hristev at microchip.com>
> ---
> Hello,
> 
> Regarding this fix, I am not sure if we actually need to free the node, but
> according to commit "fa9ca8a" , it was added to fix Coverity case.
> So, I decided to keep the free call under if statement if variable is NULL.
> If a different fix is required, please advise and I can change and resend.
> 
> Thanks !
> 
>  fs/ext4/ext4fs.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
> index 4b36a3e..2a28031 100644
> --- a/fs/ext4/ext4fs.c
> +++ b/fs/ext4/ext4fs.c
> @@ -164,7 +164,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
>  
>  int ext4fs_ls(const char *dirname)
>  {
> -	struct ext2fs_node *dirnode;
> +	struct ext2fs_node *dirnode = NULL;
>  	int status;
>  
>  	if (dirname == NULL)
> @@ -174,7 +174,8 @@ int ext4fs_ls(const char *dirname)
>  				  FILETYPE_DIRECTORY);
>  	if (status != 1) {
>  		printf("** Can not find directory. **\n");
> -		ext4fs_free_node(dirnode, &ext4fs_root->diropen);
> +		if (dirnode)
> +			ext4fs_free_node(dirnode, &ext4fs_root->diropen);
>  		return 1;
>  	}

This looks good.  Can you please do a v2 that also updates
test/fs/fs-test.sh to have a test for this case?  Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180509/153e565b/attachment.sig>

More information about the U-Boot mailing list