From cfe1768815df56ed2b8f4c2909cb7c5684fad752 Mon Sep 17 00:00:00 2001 From: Shell Date: Fri, 11 Oct 2024 14:45:39 +0800 Subject: [PATCH] fixup: smart: sys_mount: UAF vulnerability This patch addresses a use-after-free (UAF) vulnerability in the sys_mount. The issue occurred due to improper handling of memory deallocation, which could lead to crashes or undefined behavior on user request of mounting. Changes made: - Moved the `rt_free(copy_source)` function call to occur after the necessary operations are completed, preventing premature deallocation of memory. Signed-off-by: Shell --- components/lwp/lwp_syscall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/lwp/lwp_syscall.c b/components/lwp/lwp_syscall.c index d64af4455a..6e99abe8a7 100644 --- a/components/lwp/lwp_syscall.c +++ b/components/lwp/lwp_syscall.c @@ -5810,13 +5810,13 @@ sysret_t sys_mount(char *source, char *target, if (copy_source && stat(copy_source, &buf) && S_ISBLK(buf.st_mode)) { char *dev_fullpath = dfs_normalize_path(RT_NULL, copy_source); - rt_free(copy_source); RT_ASSERT(rt_strncmp(dev_fullpath, "/dev/", sizeof("/dev/") - 1) == 0); ret = dfs_mount(dev_fullpath + sizeof("/dev/") - 1, copy_target, copy_filesystemtype, 0, tmp); if (ret < 0) { ret = -rt_get_errno(); } + rt_free(copy_source); rt_free(dev_fullpath); } else