libs/rt-thread-official
libs
/
rt-thread-official
mirror of https://github.com/RT-Thread/rt-thread.git
4
0
Fork 0
Code Issues Releases Wiki Activity

fixup: smart: sys_mount: UAF vulnerability 

This patch addresses a use-after-free (UAF) vulnerability in the
sys_mount. The issue occurred due to improper handling of memory
deallocation, which could lead to crashes or undefined behavior on user
request of mounting.

Changes made:
- Moved the `rt_free(copy_source)` function call to occur after the necessary
  operations are completed, preventing premature deallocation of memory.

Signed-off-by: Shell <smokewood@qq.com>
This commit is contained in:
Shell 2024-10-11 14:45:39 +08:00 committed by Rbb666
parent fabee02c38
commit cfe1768815
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
components/lwp/lwp_syscall.c
View File

@ -5810,13 +5810,13 @@ sysret_t sys_mount(char *source, char *target,
if (copy_source && stat(copy_source, &buf) && S_ISBLK(buf.st_mode)) if (copy_source && stat(copy_source, &buf) && S_ISBLK(buf.st_mode))
{ {
char *dev_fullpath = dfs_normalize_path(RT_NULL, copy_source); char *dev_fullpath = dfs_normalize_path(RT_NULL, copy_source);
rt_free(copy_source);
RT_ASSERT(rt_strncmp(dev_fullpath, "/dev/", sizeof("/dev/") - 1) == 0); RT_ASSERT(rt_strncmp(dev_fullpath, "/dev/", sizeof("/dev/") - 1) == 0);
ret = dfs_mount(dev_fullpath + sizeof("/dev/") - 1, copy_target, copy_filesystemtype, 0, tmp); ret = dfs_mount(dev_fullpath + sizeof("/dev/") - 1, copy_target, copy_filesystemtype, 0, tmp);
if (ret < 0) if (ret < 0)
{ {
ret = -rt_get_errno(); ret = -rt_get_errno();
} }
rt_free(copy_source);
rt_free(dev_fullpath); rt_free(dev_fullpath);
} }
else else