lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Nov 2018 10:21:28 +0800 From: Pan Bian <bianpan2016@....com> To: linux-kernel@...r.kernel.org Cc: Kai Bankett <chaosman@...ika.net>, Pan Bian <bianpan2016@....com> Subject: [PATCH] fs/qnx6: set and bh1 and bh2 to NULL after dropping references The function qnx6_fill_super drops the reference to bh2 when superblock 1 is activated via brelse, otherwise it drops the reference to bh1 when superblock 2 is activated. If error occurs after that, it will try to drop the references to bh1 and bh2 again. This may result in use-after-free bugs. The patch sets bh1 and bh2 to NULL after their reference counts are decreased. Signed-off-by: Pan Bian <bianpan2016@....com> --- fs/qnx6/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c index 4aeb26b..e8a8536 100644 --- a/fs/qnx6/inode.c +++ b/fs/qnx6/inode.c @@ -405,12 +405,14 @@ static int qnx6_fill_super(struct super_block *s, void *data, int silent) sbi->sb_buf = bh1; sbi->sb = (struct qnx6_super_block *)bh1->b_data; brelse(bh2); + bh2 = NULL; pr_info("superblock #1 active\n"); } else { /* superblock #2 active */ sbi->sb_buf = bh2; sbi->sb = (struct qnx6_super_block *)bh2->b_data; brelse(bh1); + bh1 = NULL; pr_info("superblock #2 active\n"); } mmi_success: -- 2.7.4
Powered by blists - more mailing lists