[quality] fixup: vulnerability in kernel

including out-of-bound access in dfs, and use-after-free in
aspace_traversal

Signed-off-by: Shell <smokewood@qq.com>
This commit is contained in:
Shell 2023-10-25 14:45:54 +08:00 committed by guo
parent 96edf7aeb6
commit e94b759160
3 changed files with 8 additions and 6 deletions

View File

@ -759,7 +759,7 @@ up_one:
/* remove '/' in the end of path if exist */ /* remove '/' in the end of path if exist */
dst--; dst--;
if ((dst != fullpath) && (*dst == '/')) if (dst >= fullpath && (dst != fullpath) && (*dst == '/'))
*dst = '\0'; *dst = '\0';
/* final check fullpath is not empty, for the special path of lwext "/.." */ /* final check fullpath is not empty, for the special path of lwext "/.." */

View File

@ -668,7 +668,7 @@ char *dfs_normalize_path(const char *directory, const char *filename)
/* remove '/' in the end of path if exist */ /* remove '/' in the end of path if exist */
dst--; dst--;
if ((dst != fullpath) && (*dst == '/')) if (dst >= fullpath && (dst != fullpath) && (*dst == '/'))
*dst = '\0'; *dst = '\0';
/* final check fullpath is not empty, for the special path of lwext "/.." */ /* final check fullpath is not empty, for the special path of lwext "/.." */

View File

@ -345,10 +345,10 @@ rt_inline rt_err_t _migrate_and_release_varea(rt_aspace_t aspace, rt_varea_t to,
{ {
/* uninstall operand & release the varea */ /* uninstall operand & release the varea */
_aspace_bst_remove(aspace, from); _aspace_bst_remove(aspace, from);
if (!(from->flag & MMF_STATIC_ALLOC))
rt_free(from);
to->size += from->size; to->size += from->size;
if (VAREA_NOT_STATIC(from))
rt_free(from);
} }
return error; return error;
} }
@ -1377,12 +1377,14 @@ int rt_aspace_traversal(rt_aspace_t aspace,
int (*fn)(rt_varea_t varea, void *arg), void *arg) int (*fn)(rt_varea_t varea, void *arg), void *arg)
{ {
rt_varea_t varea; rt_varea_t varea;
rt_varea_t next;
WR_LOCK(aspace); WR_LOCK(aspace);
varea = ASPACE_VAREA_FIRST(aspace); varea = ASPACE_VAREA_FIRST(aspace);
while (varea) while (varea)
{ {
next = ASPACE_VAREA_NEXT(varea);
fn(varea, arg); fn(varea, arg);
varea = ASPACE_VAREA_NEXT(varea); varea = next;
} }
WR_UNLOCK(aspace); WR_UNLOCK(aspace);