From: Greg Kroah-Hartman Date: Mon, 3 Dec 2018 10:57:58 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.19.7~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0f7dc88d7d5516918b60f56acd1c56771a1b29a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ext2-fix-potential-use-after-free.patch --- diff --git a/queue-3.18/ext2-fix-potential-use-after-free.patch b/queue-3.18/ext2-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..7accfb4d267 --- /dev/null +++ b/queue-3.18/ext2-fix-potential-use-after-free.patch @@ -0,0 +1,36 @@ +From ecebf55d27a11538ea84aee0be643dd953f830d5 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Sun, 25 Nov 2018 08:58:02 +0800 +Subject: ext2: fix potential use after free + +From: Pan Bian + +commit ecebf55d27a11538ea84aee0be643dd953f830d5 upstream. + +The function ext2_xattr_set calls brelse(bh) to drop the reference count +of bh. After that, bh may be freed. However, following brelse(bh), +it reads bh->b_data via macro HDR(bh). This may result in a +use-after-free bug. This patch moves brelse(bh) after reading field. + +CC: stable@vger.kernel.org +Signed-off-by: Pan Bian +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext2/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -606,9 +606,9 @@ skip_replace: + } + + cleanup: +- brelse(bh); + if (!(bh && header == HDR(bh))) + kfree(header); ++ brelse(bh); + up_write(&EXT2_I(inode)->xattr_sem); + + return error; diff --git a/queue-3.18/series b/queue-3.18/series index 4733b735d60..eda3d47005d 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -5,3 +5,4 @@ usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-bug-2.patch alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch +ext2-fix-potential-use-after-free.patch