> On Oct 5, 2015, at 8:18 AM, Lukáš Czerner <lczerner@xxxxxxxxxx> wrote:
>
> On Wed, 2 Sep 2015, Lukas Czerner wrote:
>
>> Date: Wed, 2 Sep 2015 16:45:54 +0200
>> From: Lukas Czerner <lczerner@xxxxxxxxxx>
>> To: linux-ext4@xxxxxxxxxxxxxxx
>> Cc: Lukas Czerner <lczerner@xxxxxxxxxx>
>> Subject: [PATCH] ext4: fix potential use after free in __ext4_journal_stop
>>
>> There is a use-after-free possibility in __ext4_journal_stop() in the
>> case that we free the handle in the first jbd2_journal_stop() because
>> we're referencing handle->h_err afterwards. This was introduced in
>> 9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
>> storing the handle->h_err value beforehand and avoid referencing
>> potentially freed handle.
>
> ping
>>
>> Signed-off-by: Lukas Czerner <lczerner@xxxxxxxxxx>
Reviewed-by: Andreas Dilger <adilger@xxxxxxxxx>
>> ---
>> fs/ext4/ext4_jbd2.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
>> index d418431..e770c1ee 100644
>> --- a/fs/ext4/ext4_jbd2.c
>> +++ b/fs/ext4/ext4_jbd2.c
>> @@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
>> return 0;
>> }
>>
>> + err = handle->h_err;
>> if (!handle->h_transaction) {
>> - err = jbd2_journal_stop(handle);
>> - return handle->h_err ? handle->h_err : err;
>> + rc = jbd2_journal_stop(handle);
>> + return err ? err : rc;
>> }
>>
>> sb = handle->h_transaction->t_journal->j_private;
>> - err = handle->h_err;
>> rc = jbd2_journal_stop(handle);
>>
>> if (!err)
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Cheers, Andreas
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
