| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Dec 2022 00:40:29 +0800
From: Zheng Wang <zyytlz.wz@....com>
To: dhowells@...hat.com
Cc: marc.dionne@...istor.com, linux-afs@...ts.infradead.org,
linux-kernel@...r.kernel.org, hackerzheng666@...il.com,
alex000young@...il.com, security@...nel.org,
Zheng Wang <zyytlz.wz@....com>
Subject: [PATCH] afs: Fix poential UAF in afs_make_call
There is a function call : afs_fs_get_capabilities calls afs_make_call, in
afs_make_call, if error occurs in rxrpc_kernel_send_data, it will call
afs_put_call twice, which will free the call. And the access of
call->state will trigger a use-after-free bug.
Signed-off-by: Zheng Wang <zyytlz.wz@....com>
---
fs/afs/rxrpc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index c62939e5ea1f..4871210c4b81 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -422,8 +422,7 @@ void afs_make_call(struct afs_addr_cursor *ac, struct afs_call *call, gfp_t gfp)
call->rxcall = NULL;
}
if (call->async) {
- if (cancel_work_sync(&call->async_work))
- afs_put_call(call);
+ cancel_work_sync(&call->async_work);
afs_put_call(call);
}
--
2.25.1
Powered by blists - more mailing lists