| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220728113919.7985-1-Wentao_Liang_g@163.com>
Date: Thu, 28 Jul 2022 19:39:19 +0800
From: Wentao_Liang <Wentao_Liang_g@....com>
To: song@...nel.org
Cc: linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org,
Wentao_Liang <Wentao_Liang_g@....com>
Subject: [PATCH] drivers:md:fix a potential use-after-free bug
In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.
It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.
The bug has been confirmed by Song on 2021-08-14. Now, I resend this
patch with my real name. I hope the patch can be updated in a near
future.
Signed-off-by: Wentao_Liang <Wentao_Liang_g@....com>
---
drivers/md/raid5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 5d09256d7f81..93fcbeac5096 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -2881,10 +2881,10 @@ static void raid5_end_write_request(struct bio *bi)
if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags))
clear_bit(R5_LOCKED, &sh->dev[i].flags);
set_bit(STRIPE_HANDLE, &sh->state);
- raid5_release_stripe(sh);
if (sh->batch_head && sh != sh->batch_head)
raid5_release_stripe(sh->batch_head);
+ raid5_release_stripe(sh);
}
static void raid5_error(struct mddev *mddev, struct md_rdev *rdev)
--
2.25.1
Powered by blists - more mailing lists