refs/tags/fixes_for_v4.20-rc5 - pub/scm/linux/kernel/git/jack/linux-fs

tag	eb4ef8dab37ae157dcd3c67eb870ef56e7ac03eb
tagger	Jan Kara <jack@suse.cz>	Thu Nov 29 08:41:53 2018 +0100
object	ecebf55d27a11538ea84aee0be643dd953f830d5

\n

commit	ecebf55d27a11538ea84aee0be643dd953f830d5	[log] [tgz]
author	Pan Bian <bianpan2016@163.com>	Sun Nov 25 08:58:02 2018 +0800
committer	Jan Kara <jack@suse.cz>	Tue Nov 27 10:21:15 2018 +0100
tree	5f017acb4a15f183e2c0bbb28ffe4487824c6493
parent	e5f5b717983bccfa033282e9886811635602510e [diff]

ext2: fix potential use after free

The function ext2_xattr_set calls brelse(bh) to drop the reference count
of bh. After that, bh may be freed. However, following brelse(bh),
it reads bh->b_data via macro HDR(bh). This may result in a
use-after-free bug. This patch moves brelse(bh) after reading field.

CC: stable@vger.kernel.org
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Jan Kara <jack@suse.cz>

fs/ext2/xattr.c[diff]

1 file changed

tree: 5f017acb4a15f183e2c0bbb28ffe4487824c6493