On 10/17/2012 10:44 AM, Jim Meyering wrote: > From a5365003c88f4fce6293827c13f90acd0b5bd0cc Mon Sep 17 00:00:00 2001 > From: Jim Meyering <j...@meyering.net> > Date: Tue, 16 Oct 2012 17:43:49 +0200 > Subject: [PATCH] cp: avoid data-corrupting free-memory-read > > * src/extent-scan.c (extent_scan_read): Reset our last_ei > pointer whenever the parent buffer might have just been freed. > * tests/cp/fiemap-extent-FMR.sh: New test. > * tests/local.mk (all_tests): Add it. > * NEWS (Bug fixes): Mention it. > Reported by Mike Gerth in http://bugs.gnu.org/12656, and with > help from Alan Curry. Bug introduced in commit v8.10-60-g18f5a85. > --- > NEWS | 4 ++++ > src/extent-scan.c | 12 +++++++++--- > tests/cp/fiemap-FMR.sh | 31 +++++++++++++++++++++++++++++++ > tests/local.mk | 1 + > 4 files changed, 45 insertions(+), 3 deletions(-) > create mode 100755 tests/cp/fiemap-FMR.sh > > diff --git a/NEWS b/NEWS > index aff5bf1..46ce698 100644 > --- a/NEWS > +++ b/NEWS > @@ -12,6 +12,10 @@ GNU coreutils NEWS -*- > outline -*- > > ** Bug fixes > > + cp could read from freed memory and could even make corrupt copies. > + This could happen only with a very fragmented input file and when using > + its FIEMAP/extent-based copying code. [bug introduced in coreutils-8.11]
As the bug is in extent-scan.c, doesn't it also affect mv (and ginstall)? In src/local.mk: copy_sources = \ src/copy.c \ src/cp-hash.c \ src/extent-scan.c \ src/extent-scan.h ... src_ginstall_SOURCES = src/install.c src/prog-fprintf.c $(copy_sources) ... src_cp_SOURCES = src/cp.c $(copy_sources) ... src_mv_SOURCES = src/mv.c src/remove.c $(copy_sources) Have a nice day, Berny