| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211115035721.1909-2-thunder.leizhen@huawei.com>
Date: Mon, 15 Nov 2021 11:57:20 +0800
From: Zhen Lei <thunder.leizhen@...wei.com>
To: Alexander Viro <viro@...iv.linux.org.uk>,
David Howells <dhowells@...hat.com>,
<linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: Zhen Lei <thunder.leizhen@...wei.com>
Subject: [PATCH 1/2] pipe: fix potential use-after-free in pipe_read()
Accessing buf->flags after pipe_buf_release(pipe, buf) is unsafe, because
the 'buf' memory maybe freed.
Fixes: e7d553d69cf6 ("pipe: Add notification lossage handling")
Signed-off-by: Zhen Lei <thunder.leizhen@...wei.com>
---
fs/pipe.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 6d4342bad9f15b2..302f1e50ce3be1d 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -319,10 +319,12 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
}
if (!buf->len) {
+ unsigned int __maybe_unused flags = buf->flags;
+
pipe_buf_release(pipe, buf);
spin_lock_irq(&pipe->rd_wait.lock);
#ifdef CONFIG_WATCH_QUEUE
- if (buf->flags & PIPE_BUF_FLAG_LOSS)
+ if (flags & PIPE_BUF_FLAG_LOSS)
pipe->note_loss = true;
#endif
tail++;
--
2.26.0.106.g9fadedd
Powered by blists - more mailing lists