From: pr.jung <pr.jung@samsung.com>
Date: Wed, 30 Jan 2019 08:35:27 +0000 (+0900)
Subject: storaged could cause heap use after free
X-Git-Tag: submit/tizen/20190131.065956^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=15bfdf8a1c1a0a191ff3423de1b4ea5a5310da74;p=platform%2Fcore%2Fsystem%2Fstoraged.git

storaged could cause heap use after free

- Call free() on remove_operation()(Thread)
- Access op->op on add_operation()(Main thread)

Change-Id: Iee3b3a545a04889d79f1d696dadce9d842769259
Signed-off-by: pr.jung <pr.jung@samsung.com>
---

diff --git a/src/block/block.c b/src/block/block.c
index 2093858..100e9cb 100644
--- a/src/block/block.c
+++ b/src/block/block.c
@@ -2025,6 +2025,14 @@ static int add_operation(struct block_device *bdev,
 	op->data = data;
 	op->invocation = invocation;
 
+	/* Need to disble app2ext whenever unmounting mmc */
+	if (operation == BLOCK_DEV_UNMOUNT &&
+		bdev->data->state == BLOCK_MOUNT &&
+		bdev->data->block_type == BLOCK_MMC_DEV &&
+		bdev->data->primary)
+		if (app2ext_disable_all_external_pkgs() < 0)
+			_E("app2ext_disable_all_external_pkgs() failed");
+
 	/* LOCK
 	 * during adding queue and checking the queue length */
 	pthread_mutex_lock(&(th_manager[thread_id].mutex));
@@ -2042,15 +2050,6 @@ static int add_operation(struct block_device *bdev,
 	pthread_mutex_unlock(&(th_manager[thread_id].mutex));
 	/* UNLOCK */
 
-	/* Need to disble app2ext whenever unmounting mmc */
-	if (op->op == BLOCK_DEV_UNMOUNT &&
-		bdev->data->state == BLOCK_MOUNT &&
-		bdev->data->block_type == BLOCK_MMC_DEV &&
-		bdev->data->primary)
-		if (app2ext_disable_all_external_pkgs() < 0)
-			_E("app2ext_disable_all_external_pkgs() failed");
-
-
 	if (!start_th) {
 		_D("Start New thread for block device");
 		th_manager[thread_id].start_th = true;