releases/3.16.3/keys-fix-use-after-free-in-assoc_array_gc.patch

   1 From 27419604f51a97d497853f14142c1059d46eb597 Mon Sep 17 00:00:00 2001
   2 From: David Howells <dhowells@redhat.com>
   3 Date: Tue, 2 Sep 2014 13:52:20 +0100
   4 Subject: KEYS: Fix use-after-free in assoc_array_gc()
   5
   6 From: David Howells <dhowells@redhat.com>
   7
   8 commit 27419604f51a97d497853f14142c1059d46eb597 upstream.
   9
  10 An edit script should be considered inaccessible by a function once it has
  11 called assoc_array_apply_edit() or assoc_array_cancel_edit().
  12
  13 However, assoc_array_gc() is accessing the edit script just after the
  14 gc_complete: label.
  15
  16 Reported-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
  17 Signed-off-by: David Howells <dhowells@redhat.com>
  18 Reviewed-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
  19 cc: shemming@brocade.com
  20 cc: paulmck@linux.vnet.ibm.com
  21 Signed-off-by: James Morris <james.l.morris@oracle.com>
  22 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23
  24 ---
  25  lib/assoc_array.c |    2 +-
  26  1 file changed, 1 insertion(+), 1 deletion(-)
  27
  28 --- a/lib/assoc_array.c
  29 +++ b/lib/assoc_array.c
  30 @@ -1735,7 +1735,7 @@ ascend_old_tree:
  31  gc_complete:
  32         edit->set[0].to = new_root;
  33         assoc_array_apply_edit(edit);
  34 -       edit->array->nr_leaves_on_tree = nr_leaves_on_tree;
  35 +       array->nr_leaves_on_tree = nr_leaves_on_tree;
  36         return 0;
  37
  38  enomem: