xfs_scrub: avoid potential UAF after freeing a duplicate name entry

Change the function declaration of unicrash_add to set the caller's
@new_entry to NULL if we detect an updated name entry and do not wish to
continue processing.  This avoids a theoretical UAF if the unicrash_add
caller were to accidentally continue using the pointer.

This isn't an /actual/ UAF because the function formerly set @badflags
to zero, but let's be a little defensive.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/scrub/unicrash.c b/scrub/unicrash.c
index edc32d55cb01fb3d4854ea18c4a7869aba7b0eeb..4517e2bcef617a35434332a1e28325d877d73fa2 100644 (file)
--- a/scrub/unicrash.c
+++ b/scrub/unicrash.c
@@ -628,10 +628,11 @@ out:
 static void
 unicrash_add(
        struct unicrash         *uc,
-       struct name_entry       *new_entry,
+       struct name_entry       **new_entryp,
        unsigned int            *badflags,
        struct name_entry       **existing_entry)
 {
+       struct name_entry       *new_entry = *new_entryp;
        struct name_entry       *entry;
        size_t                  bucket;
        xfs_dahash_t            hash;
@@ -654,7 +655,7 @@ unicrash_add(
                        entry->ino = new_entry->ino;
                        uc->buckets[bucket] = new_entry->next;
                        name_entry_free(new_entry);
-                       *badflags = 0;
+                       *new_entryp = NULL;
                        return;
                }
 
@@ -697,8 +698,8 @@ __unicrash_check_name(
                return 0;
 
        name_entry_examine(new_entry, &badflags);
-       unicrash_add(uc, new_entry, &badflags, &dup_entry);
-       if (badflags)
+       unicrash_add(uc, &new_entry, &badflags, &dup_entry);
+       if (new_entry && badflags)
                unicrash_complain(uc, dsc, namedescr, new_entry, badflags,
                                dup_entry);