On Fri, 2018-11-23 at 17:04 +0800, Pan Bian wrote:
> The function hfs_bmap_free frees node via hfs_bnode_put(node). However,
> it then reads node->this when dumping error message on an error path,
> which may result in a use-after-free bug. This patch frees node only
> when it is never used.
>
> Fixes: d614267329f("hfs/hfsplus: convert printks to pr_<level>")
Hi.
While this may indeed be a defect, and the "/* panic */" comment
may be unwarranted, this isn't really a fix of a printk conversion.
This dereference goes back to 2004, the printk(KERN_CRIT to pr_crit(
conversion did not introduce it.
So this patch is only a possible use after free fix.
>From a full history git tree:
(similar to https://archive.org/details/git-history-of-linux)
commit a1185ffa2fc491e23f3107a39f66ee703d102153
Author: Andrew Morton <akpm@xxxxxxxx>
Date: Wed Feb 25 16:17:36 2004 -0800
[PATCH] HFS rewrite
From: Roman Zippel <zippel@xxxxxxxxxxxxxx>
This is a complete rewrite of the HFS driver, it gets rid of a all the
special conversion options, which belong in user space. The driver uses now
a btree support very similiar to HFS+, so that both could be merged at some
point.
Thanks to Ethan Benson <erbenson@xxxxxxxxxx> for a number of patches to make
the driver more compliant with the spec and Christoph Hellwig <hch@xxxxxx>
for fixing up the documentation.
> diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
[]
> @@ -338,13 +338,14 @@ void hfs_bmap_free(struct hfs_bnode *node)
>
> nidx -= len * 8;
> i = node->next;
> - hfs_bnode_put(node);
> if (!i) {
> /* panic */;
> pr_crit("unable to free bnode %u. bmap not found!\n",
> node->this);
> + hfs_bnode_put(node);
> return;
> }
> + hfs_bnode_put(node);
> node = hfs_bnode_find(tree, i);
> if (IS_ERR(node))
> return;
