| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Nov 2018 10:21:28 +0800
From: Pan Bian <bianpan2016@....com>
To: linux-kernel@...r.kernel.org
Cc: Kai Bankett <chaosman@...ika.net>, Pan Bian <bianpan2016@....com>
Subject: [PATCH] fs/qnx6: set and bh1 and bh2 to NULL after dropping references
The function qnx6_fill_super drops the reference to bh2 when superblock
1 is activated via brelse, otherwise it drops the reference to bh1 when
superblock 2 is activated. If error occurs after that, it will try to
drop the references to bh1 and bh2 again. This may result in
use-after-free bugs. The patch sets bh1 and bh2 to NULL after their
reference counts are decreased.
Signed-off-by: Pan Bian <bianpan2016@....com>
---
fs/qnx6/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c
index 4aeb26b..e8a8536 100644
--- a/fs/qnx6/inode.c
+++ b/fs/qnx6/inode.c
@@ -405,12 +405,14 @@ static int qnx6_fill_super(struct super_block *s, void *data, int silent)
sbi->sb_buf = bh1;
sbi->sb = (struct qnx6_super_block *)bh1->b_data;
brelse(bh2);
+ bh2 = NULL;
pr_info("superblock #1 active\n");
} else {
/* superblock #2 active */
sbi->sb_buf = bh2;
sbi->sb = (struct qnx6_super_block *)bh2->b_data;
brelse(bh1);
+ bh1 = NULL;
pr_info("superblock #2 active\n");
}
mmi_success:
--
2.7.4
Powered by blists - more mailing lists