Package: pmount Version: 0.9.23-6 Tags: patch Dear Debian maintainers
I stumbled over a use-after-free bug in pmount. It's in its realpath implementation when dealing with stacked symlinks, i.e. symlinks pointing to symlinks. (Ironically, pmount "switched to a [self-made] implementation of realpath, for security reasons", so that's that). The bug is in realpath.c lines 144 to 149: ``` // while (symlink) { // [...] if (buf) free(buf); // (1) buf = xmalloc(m + n + 1); memcpy(buf, link_path, n); memcpy(buf + n, path, m + 1); // (2) path = buf; // (3) // [...] // } ``` This snippet is iterated in a while loop over the stacked symlinks, e.g. twice for a symlink pointing to a symlink pointing to a file. In this case `buf` is freed to early (1) as the memory region is still pointed to by `path` (3) and used afterwards (2). A simple (but properly bad) fix is to delay the freeing as in the follow up message. I don't fully understand all the pointer tricker going on in that function, so there might be better solutions. Upstream of this package seams dead a long time ago and Fedora uses Debian as upstream, so a fix in Debian would at least hit two major Linux distributions and their derivative ecosystems and maybe even others. Lastly, how to trigger this bug. Run the test suite `make check` of pmount. Though you have to initialise the test data first (first follow up commit to this). The test_policy the fails. On my system the `resolved_path` variable contained garbage at the end (probably copied from the invalid pointer reference) and `readlink()` failed with an error as such a file did not exist.