autofs/autofs-5.1.8-fix-use-after-free-in-tree_mapent_delete_offset_tree.patch
Ian Kent da0ee4c338 Using -hosts option does not work in RHEL 9
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056320

Changes to resolve internal hosts map problem:
- fix root offset error handling.
- fix nonstrict fail handling of last offset mount.
- dont fail on duplicate offset entry tree add.
- fix loop under run in cache_get_offset_parent().
- simplify cache_add() a little.
- fix use after free in tree_mapent_delete_offset_tree().
- fix memory leak in xdr_exports().
- avoid calling pthread_getspecific() with NULL key_thread_attempt_id.
- fix sysconf(3) return handling.
- remove rpcgen dependedncy, it hasn't been needed since rev 10.

Resolves: rhbz#2056320

Signed-off-by: Ian Kent ikent@redhat.com
2022-05-12 10:13:51 +08:00

56 lines
1.6 KiB
Diff

autofs-5.1.8 - fix use after free in tree_mapent_delete_offset_tree()
From: Ian Kent <raven@themaw.net>
The key field of the map entry of the root of the map entry tree to be
deleted can't be used for the key parameter, fix it.
Signed-off-by: Ian Kent <raven@themaw.net>
---
CHANGELOG | 1 +
lib/mounts.c | 16 +++++++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
--- autofs-5.1.7.orig/CHANGELOG
+++ autofs-5.1.7/CHANGELOG
@@ -90,6 +90,7 @@
- dont fail on duplicate offset entry tree add.
- fix loop under run in cache_get_offset_parent().
- simplify cache_add() a little.
+- fix use after free in tree_mapent_delete_offset_tree().
25/01/2021 autofs-5.1.7
- make bind mounts propagation slave by default.
--- autofs-5.1.7.orig/lib/mounts.c
+++ autofs-5.1.7/lib/mounts.c
@@ -1666,16 +1666,26 @@ static int tree_mapent_delete_offset_tre
*/
if (MAPENT_ROOT(me) != MAPENT_NODE(me)) {
struct tree_node *root = MAPENT_ROOT(me);
+ char *key;
- debug(logopt, "deleting offset key %s", me->key);
+ key = strdup(me->key);
+ if (!key) {
+ char buf[MAX_ERR_BUF];
+ char *estr = strerror_r(errno, buf, MAX_ERR_BUF);
+ error(logopt, "strdup: %s", estr);
+ return 0;
+ }
+
+ debug(logopt, "deleting offset key %s", key);
/* cache_delete won't delete an active offset */
MAPENT_SET_ROOT(me, NULL);
- ret = cache_delete(me->mc, me->key);
+ ret = cache_delete(me->mc, key);
if (ret != CHE_OK) {
MAPENT_SET_ROOT(me, root);
- warn(logopt, "failed to delete offset %s", me->key);
+ warn(logopt, "failed to delete offset %s", key);
}
+ free(key);
} else {
MAPENT_SET_ROOT(me, NULL);
MAPENT_SET_PARENT(me, NULL);