search

plougher / squashfs-tools

tools to create and extract Squashfs filesystems
GNU General Public License v2.0
758 stars 193 forks source link

Uninitialized struct stat in populate_tree #252

Closed m94mni closed 1 year ago

m94mni commented 1 year ago

When appending to an existing squashfs image, already existing items are read into the old_root_entry_info array.

Later on, in populate_tree, this entry is processed, and in particular entry->inode->buf.st_mode is accessed:

https://github.com/plougher/squashfs-tools/blob/04d3bc8056be0cdfeb599207454235cf10358429/squashfs-tools/mksquashfs.c#L4809

However, when entry->inode (of type struct stat) is created for squashfs entries (in add_old_root_entry), buf is left unassigned:

https://github.com/plougher/squashfs-tools/blob/04d3bc8056be0cdfeb599207454235cf10358429/squashfs-tools/mksquashfs.c#L5184-L5190

This leads to undefined behavior per C99, unless I'm missing initialization somewhere else. With a bit of bad luck, this would misidentify the preexisting entries.

The simple solution would be to add something like

 memset(&old_root_entry[old_root_entries].inode.buf, 0,
    sizeof(old_root_entry[old_root_entries].inode.buf));

to add_old_root_entry

plougher commented 1 year ago 
if(S_ISDIR(entry->inode->buf.st_mode) && !entry->inode->root_entry) {

With an old root entry the above will always evaluate to FALSE because entry->inode->root_entry == TRUE, and so the lack of initialisation of buf doesn't produce an unexpected result.

But, the code shouldn't be accessing uninitialised memory.