Fix double free in crypto.c and part.c

(cherry picked from commit 406868d6bbbaae9f10e9d05f644bb1566ba5e3bc)
2024-07-22 13:55:12 +08:00 · 2024-07-22 13:55:12 +08:00 · 3258492a81
commit 3258492a81
parent 029c76699c
3 changed files with 95 additions and 1 deletions
--- a/0005-part-Fix-potential-double-free-when-getting-parttype.patch
+++ b/0005-part-Fix-potential-double-free-when-getting-parttype.patch
@ -0,0 +1,37 @@
+From 32a3ec7e47243ea2c2530445df83f60f992f0c23 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 6 Nov 2023 18:38:34 +0100
+Subject: [PATCH] part: Fix potential double free when getting parttype
+
+fdisk_partition_get_type returns a pointer to a static table so
+we shouldn't free it. fdisk_unref_parttype should against this but
+we see some double free crashes that could be caused by this.
+
+Related: https://github.com/storaged-project/udisks/issues/1208
+---
+ src/plugins/part.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/plugins/part.c b/src/plugins/part.c
+index 46d31137..20bb3628 100644
+--- a/src/plugins/part.c
+++ b/src/plugins/part.c
+@@ -462,7 +462,6 @@ static gchar* get_part_type_guid_and_gpt_flags (const gchar *device, int part_nu
+     if (!ptype_string) {
+         g_set_error (error, BD_PART_ERROR, BD_PART_ERROR_FAIL,
+                      "Failed to get partition type for partition %d on device '%s'", part_num, device);
+-        fdisk_unref_parttype (ptype);
+         fdisk_unref_partition (pa);
+         close_context (cxt);
+         return NULL;
+@@ -470,7 +469,6 @@ static gchar* get_part_type_guid_and_gpt_flags (const gchar *device, int part_nu
+ 
+     ret = g_strdup (ptype_string);
+ 
+-    fdisk_unref_parttype (ptype);
+     fdisk_unref_partition (pa);
+     close_context (cxt);
+     return ret;
+-- 
+2.27.0
+
--- a/0006-crypto-Fix-double-free-in-bd_crypto_luks_remove_key.patch
+++ b/0006-crypto-Fix-double-free-in-bd_crypto_luks_remove_key.patch
@ -0,0 +1,49 @@
+From 1b6d24e0ec4fc50686a533ec209f7b1db952deb5 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 3 Apr 2024 15:58:04 +0200
+Subject: [PATCH] crypto: Fix double free in bd_crypto_luks_remove_key
+
+---
+ src/plugins/crypto.c | 1 -
+ tests/crypto_test.py | 6 ++++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index 3dabaabd..05931e80 100644
+--- a/src/plugins/crypto.c
+++ b/src/plugins/crypto.c
+@@ -1479,7 +1479,6 @@ gboolean bd_crypto_luks_remove_key (const gchar *device, BDCryptoKeyslotContext
+         return FALSE;
+     }
+ 
+-    crypt_safe_free (key_buf);
+     crypt_free (cd);
+     bd_utils_report_finished (progress_id, "Completed");
+     return TRUE;
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 4d920c27..efe892b2 100644
+--- a/tests/crypto_test.py
+++ b/tests/crypto_test.py
+@@ -524,6 +524,9 @@ class CryptoTestRemoveKey(CryptoTestCase):
+         succ = BlockDev.crypto_luks_add_key(self.loop_dev, ctx, nctx2)
+         self.assertTrue(succ)
+ 
+        nctx3 = BlockDev.CryptoKeyslotContext(keyfile=self.keyfile)
+        succ = BlockDev.crypto_luks_add_key(self.loop_dev, ctx, nctx3)
+
+         with self.assertRaises(GLib.GError):
+             wctx = BlockDev.CryptoKeyslotContext(passphrase="wrong-passphrase")
+             BlockDev.crypto_luks_remove_key(self.loop_dev, wctx)
+@@ -534,6 +537,9 @@ class CryptoTestRemoveKey(CryptoTestCase):
+         succ = BlockDev.crypto_luks_remove_key(self.loop_dev, nctx2)
+         self.assertTrue(succ)
+ 
+        succ = BlockDev.crypto_luks_remove_key(self.loop_dev, nctx3)
+        self.assertTrue(succ)
+
+     @tag_test(TestTags.SLOW)
+     def test_luks_remove_key(self):
+         self._remove_key(self._luks_format)
+-- 
+2.27.0
+
--- a/libblockdev.spec
+++ b/libblockdev.spec
@ -3,7 +3,7 @@

 Name:    libblockdev
 Version: 3.0.4
-Release: 7
+Release: 8
 Summary: libblockdev is a C library supporting GObject introspection for manipulation of block devices
 License: LGPLv2+
 URL:     https://github.com/storaged-project/libblockdev
@ -13,6 +13,8 @@ Patch1: 0001-Add-BDPluginSpec-constructor-and-use-it-in-plugin_sp.patch
 Patch2: 0002-Fix-leaking-error.patch
 Patch3: 0003-lvm-dbus-Fix-leaking-error-in-bd_lvm_init.patch
 Patch4: 0004-nvme-Fix-potential-memory-leak.patch
+Patch5: 0005-part-Fix-potential-double-free-when-getting-parttype.patch
+Patch6: 0006-crypto-Fix-double-free-in-bd_crypto_luks_remove_key.patch

 BuildRequires: make glib2-devel libyaml-devel libbytesize-devel parted-devel libuuid-devel ndctl-devel device-mapper-devel
 BuildRequires: device-mapper-devel systemd-devel nss-devel volume_key-devel >= 0.3.9-7 libblkid-devel libmount-devel
@ -162,6 +164,12 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}


 %changelog
+* Mon Jul 22 2024 kouwenqi <kouwenqi@kylinos.cn> - 3.0.4-8
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Fix double free in crypto.c and part.c
+
 * Fri Jul 12 2024 cenhuilin <cenhuilin@kylinos.cn> - 3.0.4-7
 - Type:bugfix
 - ID:NA