fixup: smart: sys_mount: UAF vulnerability

This patch addresses a use-after-free (UAF) vulnerability in the sys_mount. The issue occurred due to improper handling of memory deallocation, which could lead to crashes or undefined behavior on user request of mounting. Changes made: - Moved the `rt_free(copy_source)` function call to occur after the necessary operations are completed, preventing premature deallocation of memory. Signed-off-by: Shell <[email protected]>
RT-Thread · Oct 21, 2024 · cfe1768 · cfe1768
1 parent fabee02
commit cfe1768
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/components/lwp/lwp_syscall.c b/components/lwp/lwp_syscall.c
@@ -5810,13 +5810,13 @@ sysret_t sys_mount(char *source, char *target,
     if (copy_source && stat(copy_source, &buf) && S_ISBLK(buf.st_mode))
     {
         char *dev_fullpath = dfs_normalize_path(RT_NULL, copy_source);
-        rt_free(copy_source);
         RT_ASSERT(rt_strncmp(dev_fullpath, "/dev/", sizeof("/dev/") - 1) == 0);
         ret = dfs_mount(dev_fullpath + sizeof("/dev/") - 1, copy_target, copy_filesystemtype, 0, tmp);
         if (ret < 0)
         {
             ret = -rt_get_errno();
         }
+        rt_free(copy_source);
         rt_free(dev_fullpath);
     }
     else