diff --git a/autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch b/autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch new file mode 100644 index 0000000..ff12fd9 --- /dev/null +++ b/autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch @@ -0,0 +1,55 @@ +autofs-5.1.4 - fix use after free in do_master_list_reset() + +From: Ian Kent + +Umm ... list_for_each() can't be used in do_master_list_reset() because +the subject entry of the loop is removed for the list within the loop +body. Therefore it can't be used to calculate the next pointer within a +for (...) loop. + +There is no list_for_each_safe() macro in the list.h of autofs so it +needs to be done manually. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/automount.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 4faab510..2747327b 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,6 +1,7 @@ + xx/xx/2018 autofs-5.1.5 + - fix flag file permission. + - fix directory create permission. ++- fix use after free in do_master_list_reset(). + + 19/12/2017 autofs-5.1.4 + - fix spec file url. +diff --git a/daemon/automount.c b/daemon/automount.c +index dcdc19fb..28b3f2f5 100644 +--- a/daemon/automount.c ++++ b/daemon/automount.c +@@ -2070,14 +2070,18 @@ static void remove_empty_args(char **argv, int *argc) + + static void do_master_list_reset(struct master *master) + { +- struct list_head *head, *p; ++ struct list_head *head, *p, *n; + + master_mutex_lock(); + + head = &master->mounts; +- list_for_each(p, head) { ++ n = head->next; ++ while (n != head) { + struct master_mapent *entry; + ++ p = n; ++ n = p->next; ++ + entry = list_entry(p, struct master_mapent, list); + + if (!list_empty(&entry->list)) diff --git a/autofs.spec b/autofs.spec index 1dcc8f9..74f5287 100644 --- a/autofs.spec +++ b/autofs.spec @@ -8,13 +8,14 @@ Summary: A tool for automatically mounting and unmounting filesystems Name: autofs Version: 5.1.4 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 License: GPLv2+ Group: System Environment/Daemons Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz Patch1: autofs-5.1.4-fix-flag-file-permission.patch Patch2: autofs-5.1.4-fix-directory-create-permission.patch +Patch3: autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -170,6 +171,9 @@ fi %dir /etc/auto.master.d %changelog +* Fri Dec 22 2017 Ian Kent - 1:5.1.4-4 +- fix use after free in do_master_list_reset(). + * Wed Dec 20 2017 Ian Kent - 1:5.1.4-3 - fix email in last two changelog entries.