richyliu commented on PR #16455:
URL: https://github.com/apache/nuttx/pull/16455#issuecomment-3129956909
The following is a demonstration of the use-after-free, combined with the
incorrect pseudorename logic, affecting the `mv` command in NuttX's NuttShell
(NSH).
NuttShell (NSH) NuttX-12.8.0
nsh> mkdir c
nsh> mkdir c/a
nsh> mkdir c/a/b
nsh> mkdir c/b
nsh> ls
/:
c/
dev/
nsh> mv c/b c/a
nsh> ls
/:
b/
c/
dev/
nsh>
Due to the previously incorrect logic, when moving the directory c/b to c/a,
it first checks for the existence of c/a/b. Seeing that it exists, it then
tries to check for c/a/b/b. However, due to the use-after-free, it actually
checks for <garbage>/b, where "<garbage>" is garbage data from the freed chunk.
Due to the internal workings of the snprintf function used, the resultant
string becomes "/b", which becomes the new move target of pseudorename. This is
why c/b gets moved to /b.
Let me know if there's anything else needed on my end to get this merged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
