- fix use after free in do_master_list_reset().
This commit is contained in:
Ian Kent
parent
11b4c7bb2a
commit
b71d8c2d31
@ -0,0 +1,55 @@
|
|||||||
|
autofs-5.1.4 - fix use after free in do_master_list_reset()
|
||||||
|
|
||||||
|
From: Ian Kent <raven@themaw.net>
|
||||||
|
|
||||||
|
Umm ... list_for_each() can't be used in do_master_list_reset() because
|
||||||
|
the subject entry of the loop is removed for the list within the loop
|
||||||
|
body. Therefore it can't be used to calculate the next pointer within a
|
||||||
|
for (...) loop.
|
||||||
|
|
||||||
|
There is no list_for_each_safe() macro in the list.h of autofs so it
|
||||||
|
needs to be done manually.
|
||||||
|
|
||||||
|
Signed-off-by: Ian Kent <raven@themaw.net>
|
||||||
|
---
|
||||||
|
CHANGELOG | 1 +
|
||||||
|
daemon/automount.c | 8 ++++++--
|
||||||
|
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/CHANGELOG b/CHANGELOG
|
||||||
|
index 4faab510..2747327b 100644
|
||||||
|
--- a/CHANGELOG
|
||||||
|
+++ b/CHANGELOG
|
||||||
|
@@ -1,6 +1,7 @@
|
||||||
|
xx/xx/2018 autofs-5.1.5
|
||||||
|
- fix flag file permission.
|
||||||
|
- fix directory create permission.
|
||||||
|
+- fix use after free in do_master_list_reset().
|
||||||
|
|
||||||
|
19/12/2017 autofs-5.1.4
|
||||||
|
- fix spec file url.
|
||||||
|
diff --git a/daemon/automount.c b/daemon/automount.c
|
||||||
|
index dcdc19fb..28b3f2f5 100644
|
||||||
|
--- a/daemon/automount.c
|
||||||
|
+++ b/daemon/automount.c
|
||||||
|
@@ -2070,14 +2070,18 @@ static void remove_empty_args(char **argv, int *argc)
|
||||||
|
|
||||||
|
static void do_master_list_reset(struct master *master)
|
||||||
|
{
|
||||||
|
- struct list_head *head, *p;
|
||||||
|
+ struct list_head *head, *p, *n;
|
||||||
|
|
||||||
|
master_mutex_lock();
|
||||||
|
|
||||||
|
head = &master->mounts;
|
||||||
|
- list_for_each(p, head) {
|
||||||
|
+ n = head->next;
|
||||||
|
+ while (n != head) {
|
||||||
|
struct master_mapent *entry;
|
||||||
|
|
||||||
|
+ p = n;
|
||||||
|
+ n = p->next;
|
||||||
|
+
|
||||||
|
entry = list_entry(p, struct master_mapent, list);
|
||||||
|
|
||||||
|
if (!list_empty(&entry->list))
|
||||||
@ -8,13 +8,14 @@
|
|||||||
Summary: A tool for automatically mounting and unmounting filesystems
|
Summary: A tool for automatically mounting and unmounting filesystems
|
||||||
Name: autofs
|
Name: autofs
|
||||||
Version: 5.1.4
|
Version: 5.1.4
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz
|
Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz
|
||||||
Patch1: autofs-5.1.4-fix-flag-file-permission.patch
|
Patch1: autofs-5.1.4-fix-flag-file-permission.patch
|
||||||
Patch2: autofs-5.1.4-fix-directory-create-permission.patch
|
Patch2: autofs-5.1.4-fix-directory-create-permission.patch
|
||||||
|
Patch3: autofs-5.1.4-fix-use-after-free-in-do_master_list_reset.patch
|
||||||
|
|
||||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
@ -170,6 +171,9 @@ fi
|
|||||||
%dir /etc/auto.master.d
|
%dir /etc/auto.master.d
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 22 2017 Ian Kent <ikent@redhat.com> - 1:5.1.4-4
|
||||||
|
- fix use after free in do_master_list_reset().
|
||||||
|
|
||||||
* Wed Dec 20 2017 Ian Kent <ikent@redhat.com> - 1:5.1.4-3
|
* Wed Dec 20 2017 Ian Kent <ikent@redhat.com> - 1:5.1.4-3
|
||||||
- fix email in last two changelog entries.
|
- fix email in last two changelog entries.
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user