Package: pmount
Version: 0.9.23-6
Tags: patch
Dear Debian maintainers
I stumbled over a use-after-free bug in pmount. It's in its realpath
implementation when dealing with stacked symlinks, i.e. symlinks pointing to
symlinks. (Ironically, pmount "switched to a [self-made] implementation of
realpath, for security reasons", so that's that).
The bug is in realpath.c lines 144 to 149:
```
// while (symlink) {
// [...]
if (buf)
free(buf); // (1)
buf = xmalloc(m + n + 1);
memcpy(buf, link_path, n);
memcpy(buf + n, path, m + 1); // (2)
path = buf; // (3)
// [...]
// }
```
This snippet is iterated in a while loop over the stacked symlinks, e.g. twice
for a symlink pointing to a symlink pointing to a file. In this case `buf` is
freed to early (1) as the memory region is still pointed to by `path` (3) and
used afterwards (2).
A simple (but properly bad) fix is to delay the freeing as in the follow up
message. I don't fully understand all the pointer tricker going on in that
function, so there might be better solutions.
Upstream of this package seams dead a long time ago and Fedora uses Debian as
upstream, so a fix in Debian would at least hit two major Linux distributions
and their derivative ecosystems and maybe even others.
Lastly, how to trigger this bug. Run the test suite `make check` of pmount.
Though you have to initialise the test data first (first follow up commit to
this). The test_policy the fails. On my system the `resolved_path` variable
contained garbage at the end (probably copied from the invalid pointer
reference) and `readlink()` failed with an error as such a file did not exist.
