[PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2

To:	xfs@xxxxxxxxxxx
Subject:	[PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2_path
From:	Eric Sandeen <sandeen@xxxxxxxxxxx>
Date:	Wed, 9 Sep 2015 14:34:03 -0500
Delivered-to:	xfs@xxxxxxxxxxx
In-reply-to:	<1441827251-13128-1-git-send-email-sandeen@xxxxxxxxxxx>
References:	<1441827251-13128-1-git-send-email-sandeen@xxxxxxxxxxx>

Way back in 2002, commit 948ce18 fixed a potential use-after-free
in verify_final_da_path, but the same fix was not applied to
verify_final_dir2_path; apply it now.

Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxxx>
---
 repair/dir2.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/repair/dir2.c b/repair/dir2.c
index 44367c6..898b27e 100644
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -330,6 +330,7 @@ verify_final_dir2_path(xfs_mount_t  *mp,
                const int               p_level)
 {
        xfs_da_intnode_t        *node;
+       xfs_dahash_t            hashval;
        int                     bad = 0;
        int                     entry;
        int                     this_level = p_level + 1;
@@ -409,6 +410,12 @@ _("would correct bad hashval in non-leaf dir block\n"
        }
 
        /*
+        * Note: squirrel hashval away _before_ releasing the
+        * buffer, preventing a use-after-free problem.
+        */
+       hashval = be32_to_cpu(btree[entry].hashval);
+
+       /*
         * release/write buffer
         */
        ASSERT(cursor->level[this_level].dirty == 0 ||
@@ -430,7 +437,7 @@ _("would correct bad hashval in non-leaf dir block\n"
         * set hashvalue to correctl reflect the now-validated
         * last entry in this block and continue upwards validation
         */
-       cursor->level[this_level].hashval = be32_to_cpu(btree[entry].hashval);
+       cursor->level[this_level].hashval = hashval;
 
        return(verify_final_dir2_path(mp, cursor, this_level));
 }
-- 
1.7.1

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH 0/13] xfs_repair: recombine cut&waste code in dir2.c/attr_repair.c, Eric Sandeen [PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Eric Sandeen Re: [PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Brian Foster [PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2_path, Eric Sandeen <= Re: [PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2_path, Brian Foster [PATCH 09/13] xfs_repair: better checking of v5 attributes, Eric Sandeen Re: [PATCH 09/13] xfs_repair: better checking of v5 attributes, Brian Foster Re: [PATCH 09/13] xfs_repair: better checking of v5 attributes, Eric Sandeen [PATCH 08/13] xfs_repair: catch bad level/depth in da node, Eric Sandeen Re: [PATCH 08/13] xfs_repair: catch bad level/depth in da node, Brian Foster [PATCH 10/13] xfs_repair: Remove more differences between attr & dir2, Eric Sandeen Re: [PATCH 10/13] xfs_repair: Remove more differences between attr & dir2, Brian Foster [PATCH 07/13] xfs_repair: Remove BUF_PTR from attr_repair.c, Eric Sandeen Re: [PATCH 07/13] xfs_repair: Remove BUF_PTR from attr_repair.c, Brian Foster

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	[PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Eric Sandeen
Next by Date:	[PATCH 09/13] xfs_repair: better checking of v5 attributes, Eric Sandeen
Previous by Thread:	Re: [PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Brian Foster
Next by Thread:	Re: [PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2_path, Brian Foster
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

[PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Eric Sandeen

Next by Date:

[PATCH 09/13] xfs_repair: better checking of v5 attributes, Eric Sandeen

Previous by Thread:

Re: [PATCH 06/13] xfs_repair: add XR_DIR_TRACE to dir2.c, Brian Foster

Next by Thread:

Re: [PATCH 05/13] xfs_repair: fix use-after-free in verify_final_dir2_path, Brian Foster

Indexes:

[Date] [Thread] [Top] [All Lists]