| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Nov 2018 17:57:21 +0800
From: Pan Bian <bianpan2016@....com>
To: Andrew Morton <akpm@...ux-foundation.org>,
ernesto.mnd.fernandez@...il.com
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Pan Bian <bianpan2016@....com>
Subject: [PATCH 1/1] hfsplus: do not free node before using
The function hfs_bmap_free frees node via hfs_bnode_put(node).
However, it then reads node->this when dumping error message on an error
path, which may result in a use-after-free bug. This patch frees node
only when it is never used.
Signed-off-by: Pan Bian <bianpan2016@....com>
---
fs/hfsplus/btree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 236efe5..66774f4 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -466,14 +466,15 @@ void hfs_bmap_free(struct hfs_bnode *node)
nidx -= len * 8;
i = node->next;
- hfs_bnode_put(node);
if (!i) {
/* panic */;
pr_crit("unable to free bnode %u. "
"bmap not found!\n",
node->this);
+ hfs_bnode_put(node);
return;
}
+ hfs_bnode_put(node);
node = hfs_bnode_find(tree, i);
if (IS_ERR(node))
return;
--
2.7.4
Powered by blists - more mailing lists