From 843e0aecf076e5cbd4f3f05890231bf971d28be5 Mon Sep 17 00:00:00 2001 From: Jingbo Xu Date: Fri, 25 Nov 2022 16:48:23 +0800 Subject: [PATCH] anolis: cachefiles: reset object->private to NULL when it's freed ANBZ: #3213 cachefiles_object is allocated from cachefiles_object_jar slab cache without zeroing. Apart from cachefiles_alloc_object(), cachefiles_daemon_add_cache() also allocates cachefiles_object directly from cachefiles_object_jar slab cache, in which object->private is not initialized, while the allocated cachefiles_object is still freed in cachefiles_put_object(). This is reasonable since the cachefiles_object allocated in cachefiles_daemon_add_cache() represents a directory rather than a data file, while object->private is only used for data files. However, if object->private is not reset to NULL when cachefiles_object is freed, and then the cachefiles_object is allocated again in cachefiles_alloc_object(), a wild pointer is exposed in object->private, which can cause double-free or use-after-free. Fixes: 679445f70359 ("anolis: cachefiles: extract ondemand info field from cachefiles_object") Signed-off-by: Jingbo Xu --- fs/cachefiles/interface.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cachefiles/interface.c b/fs/cachefiles/interface.c index 0a946d046724..5eedd6382737 100644 --- a/fs/cachefiles/interface.c +++ b/fs/cachefiles/interface.c @@ -106,6 +106,7 @@ static struct fscache_object *cachefiles_alloc_object( kfree(buffer); nomem_buffer: kfree(object->private); + object->private = NULL; nomem_obj_info: BUG_ON(test_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags)); kmem_cache_free(cachefiles_object_jar, object); @@ -379,6 +380,7 @@ static void cachefiles_put_object(struct fscache_object *_object, cache = object->fscache.cache; kfree(object->private); + object->private = NULL; fscache_object_destroy(&object->fscache); kmem_cache_free(cachefiles_object_jar, object); fscache_object_destroyed(cache); -- Gitee