| From ecebf55d27a11538ea84aee0be643dd953f830d5 Mon Sep 17 00:00:00 2001 |
| From: Pan Bian <bianpan2016@163.com> |
| Date: Sun, 25 Nov 2018 08:58:02 +0800 |
| Subject: ext2: fix potential use after free |
| |
| From: Pan Bian <bianpan2016@163.com> |
| |
| commit ecebf55d27a11538ea84aee0be643dd953f830d5 upstream. |
| |
| The function ext2_xattr_set calls brelse(bh) to drop the reference count |
| of bh. After that, bh may be freed. However, following brelse(bh), |
| it reads bh->b_data via macro HDR(bh). This may result in a |
| use-after-free bug. This patch moves brelse(bh) after reading field. |
| |
| CC: stable@vger.kernel.org |
| Signed-off-by: Pan Bian <bianpan2016@163.com> |
| Signed-off-by: Jan Kara <jack@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ext2/xattr.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/ext2/xattr.c |
| +++ b/fs/ext2/xattr.c |
| @@ -606,9 +606,9 @@ skip_replace: |
| } |
| |
| cleanup: |
| - brelse(bh); |
| if (!(bh && header == HDR(bh))) |
| kfree(header); |
| + brelse(bh); |
| up_write(&EXT2_I(inode)->xattr_sem); |
| |
| return error; |
