From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 24934 invoked from network); 2 Feb 2021 01:06:46 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 2 Feb 2021 01:06:46 -0000 Received: from mail-wr1-f43.google.com ([209.85.221.43]) by 1ess; Mon Feb 1 20:03:26 -0500 2021 Received: by mail-wr1-f43.google.com with SMTP id 6so18619567wri.3 for <9front@9front.org>; Mon, 01 Feb 2021 17:03:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:to:cc:subject:date:mime-version :content-transfer-encoding; bh=v96UBISYJoWUXcDLjkJbDn+voe1nivsCdtth5UvCHvM=; b=cBqRz/N9zq604BJzYz67jT5bRKdXGFSAN8RdiUoBNJ7AQQUNsl0/sWw0DXWgTF3me9 m7h5jG31oM91GXf9s2sBmVu3hHfvTJDRrK80vboP2pB73epm8QobRWbkPA2hBhZSFZKs LtTbWqmwa3DXihUkQCVsm0oRvCFA4Q1Pfwa8ZllPFjlBvsXhs2lj6KIeIJyKtcWvweDA L7JKojEhwl8aazX5aFwgwPYNNjOV7UexHsa8DRLQFSnPb5hMGK47jKIDuUvV2KDOWjwA g4XQIBce4BpaN0tbunilzRE0RgM1V6QCda1tNZAbllb6zgB5h2X6Me95GU+Yhmx61ZOx KY1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:to:cc:subject:date:mime-version :content-transfer-encoding; bh=v96UBISYJoWUXcDLjkJbDn+voe1nivsCdtth5UvCHvM=; b=pxP6TTkuSkcaFCJRzPyf+9g8P4h62jVRREuG42w9S+hQmncypvLJZaq0o59tL1tVRs QOiLPOxUg9ix4lZmaekEXE93znMixl1IapS/icOyxTmD38VxBCWr1kzprU5WEnW26CRT 98iSw50aYNKbJ1M9a+mhA4qpI1Z9/qem/5GcB7xvuob5pNEoH4gyPzZIDX/JDXDKViwb ykq3yWO9tWczV/HatfLpMm/ztkvziv+CsxuRysZYqhrp8VsMvvUFpDaOFTVXAqogl8Fu nsMdReJsky0k0gRtcVGTo/7x9lsvcHrt8kzAP0Yfq2X1bR9EVscTDjCCDkTpV6+xJfCG c0iQ== X-Gm-Message-State: AOAM5321D6ZlzbhbyZUglJH3pLIZ2ceOWagVFig6uPnbIE0gtpWQBYDz YqfgaqyOYsnezoQ6NKqtGUXqz4w4BR0= X-Google-Smtp-Source: ABdhPJwFv/c4/JahOUgQ+kG3Mo08OaRDnqbk8UExM25N1EhmA/nTUGtKRfGvq86zbUByel36LZNGtQ== X-Received: by 2002:a5d:5910:: with SMTP id v16mr21627812wrd.29.1612227797005; Mon, 01 Feb 2021 17:03:17 -0800 (PST) Return-Path: Received: from term.home ([185.64.155.70]) by smtp.gmail.com with ESMTPSA id l5sm28480124wrv.44.2021.02.01.17.03.16 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 01 Feb 2021 17:03:16 -0800 (PST) From: boehm.igor@gmail.com X-Google-Original-From: igor@gmail.com Message-ID: To: 9front@9front.org CC: boehm.igor@gmail.com Date: Tue, 02 Feb 2021 02:03:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: dependency hosting callback-based cache Subject: [9front] cmd/acme: fix user after free in wind.c (patch) Reply-To: 9front@9front.org Precedence: bulk The function /sys/src/cmd/acme/wind.c:/^winaddincl contains a use after free. Below is a possible patch that also hopefully demonstrates the issue where 'a' is freed but might be used later to format a warning: diff -r 0b8c8ef6a3d4 sys/src/cmd/acme/wind.c --- a/sys/src/cmd/acme/wind.c Tue Jan 19 15:18:57 2021 -0800 +++ b/sys/src/cmd/acme/wind.c Tue Feb 02 01:55:54 2021 +0100 @@ -610,13 +610,14 @@ r = runerealloc(r, n+1); r[n] = 0; } - free(a); if((d->qid.type&QTDIR) == 0){ free(d); warning(nil, "%s: not a directory\n", a); free(r); + free(a); return; } + free(a); free(d); w->nincl++; w->incl = realloc(w->incl, w->nincl*sizeof(Rune*));