autofs-5.1.8 - fix possible use after free in handle_mounts_exit() From: Ian Kent Don't free the submount map entry until it's no longer used. Signed-off-by: Ian Kent --- CHANGELOG | 1 + daemon/automount.c | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) --- autofs-5.1.4.orig/CHANGELOG +++ autofs-5.1.4/CHANGELOG @@ -141,6 +141,7 @@ - dont call umount_subtree_mounts() on parent at umount. - dont take parent source lock at mount shutdown. - eliminate buffer usage from handle_mounts_cleanup(). +- fix possible use after free in handle_mounts_exit(). xx/xx/2018 autofs-5.1.5 - fix flag file permission. --- autofs-5.1.4.orig/daemon/automount.c +++ autofs-5.1.4/daemon/automount.c @@ -1753,16 +1753,6 @@ static void handle_mounts_cleanup(void * info(logopt, "shut down path %s", ap->path); - /* - * Submounts are detached threads and don't belong to the - * master map entry list so we need to free their resources - * here. - */ - if (submount) { - master_free_mapent_sources(ap->entry, 1); - master_free_mapent(ap->entry); - } - if (clean) { if (rmdir(ap->path) == -1) { char *estr = strerror_r(errno, buf, MAX_ERR_BUF); @@ -1775,6 +1765,16 @@ static void handle_mounts_cleanup(void * master_source_unlock(ap->entry); /* + * Submounts are detached threads and don't belong to the + * master map entry list so we need to free their resources + * here. + */ + if (submount) { + master_free_mapent_sources(ap->entry, 1); + master_free_mapent(ap->entry); + } + + /* * If we are not a submount send a signal to the signal handler * so it can join with any completed handle_mounts() threads and * perform final cleanup.