From: Eric Sandeen <sandeen@sandeen.net>
Date: Tue, 13 Oct 2015 23:30:52 +0000 (+1100)
Subject: xfs_repair: fix use-after-free in verify_final_dir2_path
X-Git-Tag: v4.3.0-rc1~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82137e54c56bdba6fae3c3361f6f7e8ef30fcb4b;p=thirdparty%2Fxfsprogs-dev.git

xfs_repair: fix use-after-free in verify_final_dir2_path

Way back in 2002, commit 948ce18 fixed a potential use-after-free
in verify_final_da_path, but the same fix was not applied to
verify_final_dir2_path; apply it now.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
---

diff --git a/repair/dir2.c b/repair/dir2.c
index 44367c6aa..898b27e80 100644
--- a/repair/dir2.c
+++ b/repair/dir2.c
@@ -330,6 +330,7 @@ verify_final_dir2_path(xfs_mount_t	*mp,
 		const int		p_level)
 {
 	xfs_da_intnode_t	*node;
+	xfs_dahash_t		hashval;
 	int			bad = 0;
 	int			entry;
 	int			this_level = p_level + 1;
@@ -408,6 +409,12 @@ _("would correct bad hashval in non-leaf dir block\n"
 		}
 	}
 
+	/*
+	 * Note: squirrel hashval away _before_ releasing the
+	 * buffer, preventing a use-after-free problem.
+	 */
+	hashval = be32_to_cpu(btree[entry].hashval);
+
 	/*
 	 * release/write buffer
 	 */
@@ -430,7 +437,7 @@ _("would correct bad hashval in non-leaf dir block\n"
 	 * set hashvalue to correctl reflect the now-validated
 	 * last entry in this block and continue upwards validation
 	 */
-	cursor->level[this_level].hashval = be32_to_cpu(btree[entry].hashval);
+	cursor->level[this_level].hashval = hashval;
 
 	return(verify_final_dir2_path(mp, cursor, this_level));
 }