fs: fs_open can corrupt fs_open_t object given via zfp parameter #29478
Assignees
Labels
Comments
|
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time. |
de-nordic
added a commit
to de-nordic/zephyr
that referenced
this issue
Jan 28, 2021
Fixes problem when fs_open invoked on fs_file_t object, which is already holding information on opened file, overwrites references to other memory objects within the fs_file_t object causing resource leak. If fs_open is invoked on already used fs_file_t object, it will return -EBUSY. Note: The change requires that all fs_file_t objects should be initialized to 0. Fixes: zephyrproject-rtos#29478 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
nashif
pushed a commit
that referenced
this issue
Jan 29, 2021
Fixes problem when fs_open invoked on fs_file_t object, which is already holding information on opened file, overwrites references to other memory objects within the fs_file_t object causing resource leak. If fs_open is invoked on already used fs_file_t object, it will return -EBUSY. Note: The change requires that all fs_file_t objects should be initialized to 0. Fixes: #29478 Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
There is no check, within
fs_open, whether the provided zfp already points to used object.This means that when
fs_openis used twice on the same object it will overwrite contents ofzfp before passing execution to file system driver.
This may lead to two possible outcomes, depending on whether zfp is used for opening (1) file with the same path or (2) file with different path.
According to fs_api tests (1) should end with an error, but this is actually left to file system driver and is not certain.
In both cases the file system driver will be called which may result in resource leak; e.g. LittleFS will allocate slab memory overwriting original pointer within provided
fs_file_tobject before further deciding if open is successful or not; this means that at this point, if there has been already memory allocated by previousfs_open, if such occurred.Depending on whether error occurred or not, and on stage, the pointers may be pointing to new resources, that might have been already released and is invalid, or NULL
To Reproduce
Using LittleFS mounted partition.
Call fs_open, on different or the same file, twice and observe
fs_file_t->filep.Expected behavior
Not breaking the original structure and returning with error instead.
Impact
Possible data corruption, resource leaks, double assignment of the same file system driver structures to different file streams.
Workaround
Always
fs_closefs_file_tbefore reusing structure. Avoid double-open as even on error the originalfs_file_tobject will be damaged.Environment (please complete the following information):
-- zephyrproject-rtos/zephyr: c13603e
The text was updated successfully, but these errors were encountered: