evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

eCryptfs: use after free in ecryptfs_release_messaging()

Browse source 
commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.

We're freeing the list iterator so we should be using the _safe()
version of hlist_for_each_entry().

Fixes: 88b4a07e66 ("[PATCH] eCryptfs: Public key transport mechanism")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter 2017-08-22 23:41:28 +03:00 committed by Greg Kroah-Hartman
parent 7d7b05e4ff
commit 9c093a2583
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
fs/ecryptfs/messaging.c
View file

@ -442,13 +442,14 @@ void ecryptfs_release_messaging(void)
} }
if (ecryptfs_daemon_hash) { if (ecryptfs_daemon_hash) {
struct ecryptfs_daemon *daemon; struct ecryptfs_daemon *daemon;
struct hlist_node *n;
int i; int i;
mutex_lock(&ecryptfs_daemon_hash_mux); mutex_lock(&ecryptfs_daemon_hash_mux);
for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
int rc; int rc;
hlist_for_each_entry(daemon, hlist_for_each_entry_safe(daemon, n,
&ecryptfs_daemon_hash[i], &ecryptfs_daemon_hash[i],
euid_chain) { euid_chain) {
rc = ecryptfs_exorcise_daemon(daemon); rc = ecryptfs_exorcise_daemon(daemon);