[rtems commit] jffs2: fix use-after-free on symlink traversal
Sebastian Huber
sebh at rtems.org
Mon Jun 20 11:21:54 UTC 2022
Module: rtems
Branch: master
Commit: 22e83b00f5bcac4b0f306735ba7c84d7522d903d
Changeset: http://git.rtems.org/rtems/commit/?id=22e83b00f5bcac4b0f306735ba7c84d7522d903d
Author: Al Viro <viro at zeniv.linux.org.uk>
Date: Tue Mar 26 01:39:50 2019 +0000
jffs2: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
---
cpukit/libfs/src/jffs2/src/readinode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/cpukit/libfs/src/jffs2/src/readinode.c b/cpukit/libfs/src/jffs2/src/readinode.c
index e6c9452c03..c4e32ead47 100644
--- a/cpukit/libfs/src/jffs2/src/readinode.c
+++ b/cpukit/libfs/src/jffs2/src/readinode.c
@@ -1434,11 +1434,12 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
}
jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
-
+#ifdef __rtems__
if (f->target) {
kfree(f->target);
f->target = NULL;
}
+#endif /* __rtems__ */
fds = f->dents;
while(fds) {
More information about the vc
mailing list