I can't repro the segfault, but I can repro the UAF. https://github.com/ram-nat/mhddfs/commit/26d0f119eaa7e3ffaaf330bf29672e13471cb091 says > Fix crash due to use after free bug static int mhdd_readdir( -// free memory -HASH_ITER(hh, items_ht, item, tmp) { - free(item->name); - free(item->st); - free(item); -} -HASH_CLEAR(hh, items_ht); +// free memory +HASH_ITER(hh, items_ht, item, tmp) { + HASH_DEL(items_ht, item); + free(item->name); + free(item->st); + free(item); +} and indeed running mhddfs under valgrind yields $ valgrind ./mhddfs -f -o allow_other 100M? sum ==3722104== Memcheck, a memory error detector ==3722104== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==3722104== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==3722104== Command: ./mhddfs -f -o allow_other 100Ma 100Mb 100Mc sum ==3722104== mhddfs: directory '/home/nabijaczleweli/uwu/mhddfs/100Ma' added to list mhddfs: directory '/home/nabijaczleweli/uwu/mhddfs/100Mb' added to list mhddfs: directory '/home/nabijaczleweli/uwu/mhddfs/100Mc' added to list mhddfs: mount to: /home/nabijaczleweli/uwu/mhddfs/sum mhddfs: move size limit 4294967296 bytes Ignoring invalid max threads value 4294967295 > max (100000). ^Zbg ^Z ==3722104== Thread 3: ==3722104== Invalid read of size 8 ==3722104== at 0x10C810: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== Address 0x4cba4f0 is 16 bytes inside a block of size 72 free'd ==3722104== at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3722104== by 0x10C7DB: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== Block was alloc'd at ==3722104== at 0x48455EF: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3722104== by 0x10BC66: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== ==3722104== Invalid read of size 8 ==3722104== at 0x10C823: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== Address 0x4cba4f0 is 16 bytes inside a block of size 72 free'd ==3722104== at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3722104== by 0x10C7DB: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== Block was alloc'd at ==3722104== at 0x48455EF: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==3722104== by 0x10BC66: mhdd_readdir (in /home/nabijaczleweli/uwu/mhddfs/mhddfs) ==3722104== by 0x4876C76: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487E30C: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x4881122: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x487C568: ??? (in /usr/lib/x86_64-linux-gnu/libfuse3.so.3.14.0) ==3722104== by 0x49311C3: start_thread (pthread_create.c:442) ==3722104== by 0x49B0ABF: clone (clone.S:100) ==3722104== ^C==3722104== ==3722104== HEAP SUMMARY: ==3722104== in use at exit: 471 bytes in 13 blocks ==3722104== total heap usage: 1,121 allocs, 1,108 frees, 4,364,681 bytes allocated ==3722104== ==3722104== LEAK SUMMARY: ==3722104== definitely lost: 24 bytes in 1 blocks ==3722104== indirectly lost: 257 bytes in 7 blocks ==3722104== possibly lost: 0 bytes in 0 blocks ==3722104== still reachable: 190 bytes in 5 blocks ==3722104== suppressed: 0 bytes in 0 blocks ==3722104== Rerun with --leak-check=full to see details of leaked memory ==3722104== ==3722104== For lists of detected and suppressed errors, rerun with: -s ==3722104== ERROR SUMMARY: 18 errors from 2 contexts (suppressed: 0 from 0)
The diff appears correct based on uthash documentation and fixes the bug.
signature.asc
Description: PGP signature
