| From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 22 Aug 2017 23:41:28 +0300 |
| Subject: eCryptfs: use after free in ecryptfs_release_messaging() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream. |
| |
| We're freeing the list iterator so we should be using the _safe() |
| version of hlist_for_each_entry(). |
| |
| Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Tyler Hicks <tyhicks@canonical.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ecryptfs/messaging.c | 7 ++++--- |
| 1 file changed, 4 insertions(+), 3 deletions(-) |
| |
| --- a/fs/ecryptfs/messaging.c |
| +++ b/fs/ecryptfs/messaging.c |
| @@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) |
| } |
| if (ecryptfs_daemon_hash) { |
| struct ecryptfs_daemon *daemon; |
| + struct hlist_node *n; |
| int i; |
| |
| mutex_lock(&ecryptfs_daemon_hash_mux); |
| for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { |
| int rc; |
| |
| - hlist_for_each_entry(daemon, |
| - &ecryptfs_daemon_hash[i], |
| - euid_chain) { |
| + hlist_for_each_entry_safe(daemon, n, |
| + &ecryptfs_daemon_hash[i], |
| + euid_chain) { |
| rc = ecryptfs_exorcise_daemon(daemon); |
| if (rc) |
| printk(KERN_ERR "%s: Error whilst " |