From: Yu Watanabe Date: Sat, 29 Apr 2023 21:57:49 +0000 (+0900) Subject: sd-journal: fix use-after-free X-Git-Tag: v254-rc1~586^2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e28d82512742b65c9d44273df614dceff5fb9a34;p=thirdparty%2Fsystemd.git sd-journal: fix use-after-free As commented in the code, we need to replace the pointer to the key, hence, hashmap_replace() must be used, instead of hashmap_update(). Fixes #27459. --- diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c index b0194e875c9..d5561c9a46b 100644 --- a/src/libsystemd/sd-journal/sd-journal.c +++ b/src/libsystemd/sd-journal/sd-journal.c @@ -2304,7 +2304,7 @@ static void journal_file_unlink_newest_by_bood_id(sd_journal *j, JournalFile *f) /* There's still a member in the prioq? Then make sure the hashmap key now points to its * .newest_boot_id field (and not ours!). Not we only replace the memory of the key here, the * value of the key (and the data associated with it) remain the same. */ - assert_se(hashmap_update(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0); + assert_se(hashmap_replace(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0); else { assert_se(hashmap_remove(j->newest_by_boot_id, &f->newest_boot_id) == p); prioq_free(p);