|
|
8bbbd5 |
From 6a71cce7ed735f83f9a6a6bad8beaa47f8d14734 Mon Sep 17 00:00:00 2001
|
|
|
8bbbd5 |
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
|
8bbbd5 |
Date: Mon, 27 May 2019 10:06:14 +0200
|
|
|
8bbbd5 |
Subject: [PATCH 1/2] Fix use-after-free in delayed link processing (newc
|
|
|
8bbbd5 |
format)
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
During archiving, if some of the "delayed" hard link entries
|
|
|
8bbbd5 |
happened to disappear on filesystem (or become unreadable) for
|
|
|
8bbbd5 |
some reason (most probably race), the old code free()d the 'entry'
|
|
|
8bbbd5 |
and continued with the loop; the next loop though dereferenced
|
|
|
8bbbd5 |
'entry' and crashed the archiver.
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
Per report from Coverity.
|
|
|
8bbbd5 |
---
|
|
|
8bbbd5 |
tar/write.c | 9 ++++-----
|
|
|
8bbbd5 |
1 file changed, 4 insertions(+), 5 deletions(-)
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
diff --git a/tar/write.c b/tar/write.c
|
|
|
8bbbd5 |
index 9c24566..3970de2 100644
|
|
|
8bbbd5 |
--- a/tar/write.c
|
|
|
8bbbd5 |
+++ b/tar/write.c
|
|
|
8bbbd5 |
@@ -540,8 +540,7 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
|
|
|
8bbbd5 |
lafe_warnc(archive_errno(disk),
|
|
|
8bbbd5 |
"%s", archive_error_string(disk));
|
|
|
8bbbd5 |
bsdtar->return_value = 1;
|
|
|
8bbbd5 |
- archive_entry_free(entry);
|
|
|
8bbbd5 |
- continue;
|
|
|
8bbbd5 |
+ goto next_entry;
|
|
|
8bbbd5 |
}
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
/*
|
|
|
8bbbd5 |
@@ -559,13 +558,13 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
|
|
|
8bbbd5 |
bsdtar->return_value = 1;
|
|
|
8bbbd5 |
else
|
|
|
8bbbd5 |
archive_read_close(disk);
|
|
|
8bbbd5 |
- archive_entry_free(entry);
|
|
|
8bbbd5 |
- continue;
|
|
|
8bbbd5 |
+ goto next_entry;
|
|
|
8bbbd5 |
}
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
write_file(bsdtar, a, entry);
|
|
|
8bbbd5 |
- archive_entry_free(entry);
|
|
|
8bbbd5 |
archive_read_close(disk);
|
|
|
8bbbd5 |
+next_entry:
|
|
|
8bbbd5 |
+ archive_entry_free(entry);
|
|
|
8bbbd5 |
entry = NULL;
|
|
|
8bbbd5 |
archive_entry_linkify(bsdtar->resolver, &entry, &sparse_entry);
|
|
|
8bbbd5 |
}
|
|
|
8bbbd5 |
--
|
|
|
8bbbd5 |
2.17.1
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
From a999ca882aeb8fce4f4f2ee1317f528984b47e8e Mon Sep 17 00:00:00 2001
|
|
|
8bbbd5 |
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
|
8bbbd5 |
Date: Mon, 27 May 2019 10:34:48 +0200
|
|
|
8bbbd5 |
Subject: [PATCH 2/2] call missing archive_read_close() in write_archive()
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
---
|
|
|
8bbbd5 |
tar/write.c | 3 +--
|
|
|
8bbbd5 |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
diff --git a/tar/write.c b/tar/write.c
|
|
|
8bbbd5 |
index 3970de2..63c619c 100644
|
|
|
8bbbd5 |
--- a/tar/write.c
|
|
|
8bbbd5 |
+++ b/tar/write.c
|
|
|
8bbbd5 |
@@ -556,8 +556,7 @@ write_archive(struct archive *a, struct bsdtar *bsdtar)
|
|
|
8bbbd5 |
"%s", archive_error_string(disk));
|
|
|
8bbbd5 |
if (r == ARCHIVE_FATAL)
|
|
|
8bbbd5 |
bsdtar->return_value = 1;
|
|
|
8bbbd5 |
- else
|
|
|
8bbbd5 |
- archive_read_close(disk);
|
|
|
8bbbd5 |
+ archive_read_close(disk);
|
|
|
8bbbd5 |
goto next_entry;
|
|
|
8bbbd5 |
}
|
|
|
8bbbd5 |
|
|
|
8bbbd5 |
--
|
|
|
8bbbd5 |
2.17.1
|
|
|
8bbbd5 |
|