autofs/autofs-5.1.8-fix-possible-use-after-free-in-handle_mounts_exit.patch
2023-06-13 10:51:59 +08:00

59 lines
1.7 KiB
Diff

autofs-5.1.8 - fix possible use after free in handle_mounts_exit()
From: Ian Kent <raven@themaw.net>
Don't free the submount map entry until it's no longer used.
Signed-off-by: Ian Kent <raven@themaw.net>
---
CHANGELOG | 1 +
daemon/automount.c | 20 ++++++++++----------
2 files changed, 11 insertions(+), 10 deletions(-)
--- autofs-5.1.4.orig/CHANGELOG
+++ autofs-5.1.4/CHANGELOG
@@ -141,6 +141,7 @@
- dont call umount_subtree_mounts() on parent at umount.
- dont take parent source lock at mount shutdown.
- eliminate buffer usage from handle_mounts_cleanup().
+- fix possible use after free in handle_mounts_exit().
xx/xx/2018 autofs-5.1.5
- fix flag file permission.
--- autofs-5.1.4.orig/daemon/automount.c
+++ autofs-5.1.4/daemon/automount.c
@@ -1753,16 +1753,6 @@ static void handle_mounts_cleanup(void *
info(logopt, "shut down path %s", ap->path);
- /*
- * Submounts are detached threads and don't belong to the
- * master map entry list so we need to free their resources
- * here.
- */
- if (submount) {
- master_free_mapent_sources(ap->entry, 1);
- master_free_mapent(ap->entry);
- }
-
if (clean) {
if (rmdir(ap->path) == -1) {
char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
@@ -1775,6 +1765,16 @@ static void handle_mounts_cleanup(void *
master_source_unlock(ap->entry);
/*
+ * Submounts are detached threads and don't belong to the
+ * master map entry list so we need to free their resources
+ * here.
+ */
+ if (submount) {
+ master_free_mapent_sources(ap->entry, 1);
+ master_free_mapent(ap->entry);
+ }
+
+ /*
* If we are not a submount send a signal to the signal handler
* so it can join with any completed handle_mounts() threads and
* perform final cleanup.