rpms / autofs

Clone
Source Code
GIT

Blame autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master origin/f14/master private-autofs-segv-test-branch private-cthon-branch private-map-expiry-branch
  1.   f29
  2.   autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch
Blob History Raw
Ian Kent b71d8c 
autofs-5.1.4 - fix use after free in do_master_list_reset()
Ian Kent b71d8c
Ian Kent b71d8c 
From: Ian Kent <raven@themaw.net>
Ian Kent b71d8c
Ian Kent b71d8c 
Umm ... list_for_each() can't be used in do_master_list_reset() because
Ian Kent b71d8c 
the subject entry of the loop is removed for the list within the loop
Ian Kent b71d8c 
body. Therefore it can't be used to calculate the next pointer within a
Ian Kent b71d8c 
for (...) loop.
Ian Kent b71d8c
Ian Kent b71d8c 
There is no list_for_each_safe() macro in the list.h of autofs so it
Ian Kent b71d8c 
needs to be done manually.
Ian Kent b71d8c
Ian Kent b71d8c 
Signed-off-by: Ian Kent <raven@themaw.net>
Ian Kent b71d8c 
---
Ian Kent b71d8c 
 CHANGELOG          |    1 +
Ian Kent b71d8c 
 daemon/automount.c |    8 ++++++--
Ian Kent b71d8c 
 2 files changed, 7 insertions(+), 2 deletions(-)
Ian Kent b71d8c
Ian Kent b71d8c 
diff --git a/CHANGELOG b/CHANGELOG
Ian Kent b71d8c 
index 4faab510..2747327b 100644
Ian Kent b71d8c 
--- a/CHANGELOG
Ian Kent b71d8c 
+++ b/CHANGELOG
Ian Kent b71d8c 
@@ -1,6 +1,7 @@
Ian Kent b71d8c 
 xx/xx/2018 autofs-5.1.5
Ian Kent b71d8c 
 - fix flag file permission.
Ian Kent b71d8c 
 - fix directory create permission.
Ian Kent b71d8c 
+- fix use after free in do_master_list_reset().
Ian Kent b71d8c
Ian Kent b71d8c 
 19/12/2017 autofs-5.1.4
Ian Kent b71d8c 
 - fix spec file url.
Ian Kent b71d8c 
diff --git a/daemon/automount.c b/daemon/automount.c
Ian Kent b71d8c 
index dcdc19fb..28b3f2f5 100644
Ian Kent b71d8c 
--- a/daemon/automount.c
Ian Kent b71d8c 
+++ b/daemon/automount.c
Ian Kent b71d8c 
@@ -2070,14 +2070,18 @@ static void remove_empty_args(char **argv, int *argc)
Ian Kent b71d8c
Ian Kent b71d8c 
 static void do_master_list_reset(struct master *master)
Ian Kent b71d8c 
 {
Ian Kent b71d8c 
-	struct list_head *head, *p;
Ian Kent b71d8c 
+	struct list_head *head, *p, *n;
Ian Kent b71d8c
Ian Kent b71d8c 
 	master_mutex_lock();
Ian Kent b71d8c
Ian Kent b71d8c 
 	head = &master->mounts;
Ian Kent b71d8c 
-	list_for_each(p, head) {
Ian Kent b71d8c 
+	n = head->next;
Ian Kent b71d8c 
+	while (n != head) {
Ian Kent b71d8c 
 		struct master_mapent *entry;
Ian Kent b71d8c
Ian Kent b71d8c 
+		p = n;
Ian Kent b71d8c 
+		n = p->next;
Ian Kent b71d8c 
+
Ian Kent b71d8c 
 		entry = list_entry(p, struct master_mapent, list);
Ian Kent b71d8c
Ian Kent b71d8c 
 		if (!list_empty(&entry->list))

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation