autofs/autofs-5.1.8-fix-possible-use-after-free-in-handle_mounts_exit.patch

autofs-5.1.8 - fix possible use after free in handle_mounts_exit()

From: Ian Kent <raven@themaw.net>

Don't free the submount map entry until it's no longer used.

Signed-off-by: Ian Kent <raven@themaw.net>
---
 CHANGELOG          |    1 +
 daemon/automount.c |   20 ++++++++++----------
 2 files changed, 11 insertions(+), 10 deletions(-)

--- autofs-5.1.4.orig/CHANGELOG
+++ autofs-5.1.4/CHANGELOG
@@ -141,6 +141,7 @@
 - dont call umount_subtree_mounts() on parent at umount.
 - dont take parent source lock at mount shutdown.
 - eliminate buffer usage from handle_mounts_cleanup().
+- fix possible use after free in handle_mounts_exit().
 
 xx/xx/2018 autofs-5.1.5
 - fix flag file permission.
--- autofs-5.1.4.orig/daemon/automount.c
+++ autofs-5.1.4/daemon/automount.c
@@ -1753,16 +1753,6 @@ static void handle_mounts_cleanup(void *
 
 	info(logopt, "shut down path %s", ap->path);
 
-	/*
-	 * Submounts are detached threads and don't belong to the
-	 * master map entry list so we need to free their resources
-	 * here.
-	 */
-	if (submount) {
-		master_free_mapent_sources(ap->entry, 1);
-		master_free_mapent(ap->entry);
-	}
-
 	if (clean) {
 		if (rmdir(ap->path) == -1) {
 			char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
@@ -1775,6 +1765,16 @@ static void handle_mounts_cleanup(void *
 	master_source_unlock(ap->entry);
 
 	/*
+	 * Submounts are detached threads and don't belong to the
+	 * master map entry list so we need to free their resources
+	 * here.
+	 */
+	if (submount) {
+		master_free_mapent_sources(ap->entry, 1);
+		master_free_mapent(ap->entry);
+	}
+
+	/*
 	 * If we are not a submount send a signal to the signal handler
 	 * so it can join with any completed handle_mounts() threads and
 	 * perform final cleanup.
- add changes for bug 2207801. 2023-06-13 02:51:59 +00:00			`autofs-5.1.8 - fix possible use after free in handle_mounts_exit()`

			`From: Ian Kent <raven@themaw.net>`

			`Don't free the submount map entry until it's no longer used.`

			`Signed-off-by: Ian Kent <raven@themaw.net>`
			`---`
			`CHANGELOG \| 1 +`
			`daemon/automount.c \| 20 ++++++++++----------`
			`2 files changed, 11 insertions(+), 10 deletions(-)`

			`--- autofs-5.1.4.orig/CHANGELOG`
			`+++ autofs-5.1.4/CHANGELOG`
			`@@ -141,6 +141,7 @@`
			`- dont call umount_subtree_mounts() on parent at umount.`
			`- dont take parent source lock at mount shutdown.`
			`- eliminate buffer usage from handle_mounts_cleanup().`
			`+- fix possible use after free in handle_mounts_exit().`

			`xx/xx/2018 autofs-5.1.5`
			`- fix flag file permission.`
			`--- autofs-5.1.4.orig/daemon/automount.c`
			`+++ autofs-5.1.4/daemon/automount.c`
			`@@ -1753,16 +1753,6 @@ static void handle_mounts_cleanup(void *`

			`info(logopt, "shut down path %s", ap->path);`

			`- /*`
			`- * Submounts are detached threads and don't belong to the`
			`- * master map entry list so we need to free their resources`
			`- * here.`
			`- */`
			`- if (submount) {`
			`- master_free_mapent_sources(ap->entry, 1);`
			`- master_free_mapent(ap->entry);`
			`- }`
			`-`
			`if (clean) {`
			`if (rmdir(ap->path) == -1) {`
			`char *estr = strerror_r(errno, buf, MAX_ERR_BUF);`
			`@@ -1775,6 +1765,16 @@ static void handle_mounts_cleanup(void *`
			`master_source_unlock(ap->entry);`

			`/*`
			`+ * Submounts are detached threads and don't belong to the`
			`+ * master map entry list so we need to free their resources`
			`+ * here.`
			`+ */`
			`+ if (submount) {`
			`+ master_free_mapent_sources(ap->entry, 1);`
			`+ master_free_mapent(ap->entry);`
			`+ }`
			`+`
			`+ /*`
			`* If we are not a submount send a signal to the signal handler`
			`* so it can join with any completed handle_mounts() threads and`
			`* perform final cleanup.`