On Wed, Sep 09, 2015 at 02:34:03PM -0500, Eric Sandeen wrote:
> Way back in 2002, commit 948ce18 fixed a potential use-after-free
> in verify_final_da_path, but the same fix was not applied to
> verify_final_dir2_path; apply it now.
>
> Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
> Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxxx>
> ---
Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx>
> repair/dir2.c | 9 ++++++++-
> 1 files changed, 8 insertions(+), 1 deletions(-)
>
> diff --git a/repair/dir2.c b/repair/dir2.c
> index 44367c6..898b27e 100644
> --- a/repair/dir2.c
> +++ b/repair/dir2.c
> @@ -330,6 +330,7 @@ verify_final_dir2_path(xfs_mount_t *mp,
> const int p_level)
> {
> xfs_da_intnode_t *node;
> + xfs_dahash_t hashval;
> int bad = 0;
> int entry;
> int this_level = p_level + 1;
> @@ -409,6 +410,12 @@ _("would correct bad hashval in non-leaf dir block\n"
> }
>
> /*
> + * Note: squirrel hashval away _before_ releasing the
> + * buffer, preventing a use-after-free problem.
> + */
> + hashval = be32_to_cpu(btree[entry].hashval);
> +
> + /*
> * release/write buffer
> */
> ASSERT(cursor->level[this_level].dirty == 0 ||
> @@ -430,7 +437,7 @@ _("would correct bad hashval in non-leaf dir block\n"
> * set hashvalue to correctl reflect the now-validated
> * last entry in this block and continue upwards validation
> */
> - cursor->level[this_level].hashval = be32_to_cpu(btree[entry].hashval);
> + cursor->level[this_level].hashval = hashval;
>
> return(verify_final_dir2_path(mp, cursor, this_level));
> }
> --
> 1.7.1
>
> _______________________________________________
> xfs mailing list
> xfs@xxxxxxxxxxx
> http://oss.sgi.com/mailman/listinfo/xfs
|