| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aN-Xw8KnbSnuIcLk@stanley.mountain>
Date: Fri, 3 Oct 2025 12:30:43 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Viacheslav Dubeyko <slava@...eyko.com>
Cc: John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>,
Yangtao Li <frank.li@...o.com>, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH] hfs: fix potential use after free in
hfs_correct_next_unused_CNID()
This code calls hfs_bnode_put(node) which drops the refcount and then
dreferences "node" on the next line. It's only safe to use "node"
when we're holding a reference so flip these two lines around.
Fixes: a06ec283e125 ("hfs: add logic of correcting a next unused CNID")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
fs/hfs/catalog.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
index caebabb6642f..b80ba40e3877 100644
--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -322,9 +322,9 @@ int hfs_correct_next_unused_CNID(struct super_block *sb, u32 cnid)
}
}
+ node_id = node->prev;
hfs_bnode_put(node);
- node_id = node->prev;
} while (node_id >= leaf_head);
return -ENOENT;
--
2.51.0
Powered by blists - more mailing lists