Commit d780868
mtd: fix use-after-free in find_ubi_for_mtd (segfault on musl arm64) (#171)
POSIX leaves struct dirent invalid after closedir(); glibc happens to
keep the buffer alive across the close, musl invalidates it
immediately. find_ubi_for_mtd() did:
closedir(d);
int ubi_num;
sscanf(de->d_name, "ubi%d", &ubi_num); /* <-- read freed memory */
return ubi_num;
That's a segfault on the Bootlin-musl-built aarch64 release binary
(reproducible in `ipctool` -> "rom" step -> cb_mtd_info -> mtd4 ubifs
volume), while the same source builds clean and runs through to full
YAML on glibc.
Restructure to parse de->d_name BEFORE closedir(), with a single
local `ubi_num` initialised to -1 that's returned at the end. Also
flatten the `if (f)` block to early-`continue` on fopen() failure to
keep the control flow obvious.
Same fix would be the right thing for the equivalent dirent-after-
closedir pattern elsewhere in the tree if it surfaces.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent d18902f commit d780868
1 file changed
Lines changed: 15 additions & 11 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
125 | 125 | | |
126 | 126 | | |
127 | 127 | | |
| 128 | + | |
128 | 129 | | |
129 | 130 | | |
130 | 131 | | |
| |||
134 | 135 | | |
135 | 136 | | |
136 | 137 | | |
137 | | - | |
138 | | - | |
139 | | - | |
140 | | - | |
141 | | - | |
142 | | - | |
143 | | - | |
144 | | - | |
145 | | - | |
146 | | - | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
147 | 151 | | |
148 | 152 | | |
149 | 153 | | |
150 | | - | |
| 154 | + | |
151 | 155 | | |
152 | 156 | | |
153 | 157 | | |
| |||
0 commit comments