Re: [PATCH] jffs2: fix use after free in jffs2_sum_write_data()
From: Nathan Chancellor
Date: Mon Jan 04 2021 - 18:13:58 EST
On Wed, Dec 30, 2020 at 06:56:04AM -0800, trix@xxxxxxxxxx wrote:
> From: Tom Rix <trix@xxxxxxxxxx>
>
> clang static analysis reports this problem
>
> fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed
> c->summary->sum_list_head = temp->u.next;
> ^~~~~~~~~~~~
>
> In jffs2_sum_write_data(), in a loop summary data is handles a node at
> a time. When it has written out the node it is removed the summary list,
> and the node is deleted. In the corner case when a
> JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to
> jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes
> the whole list which conflicts with the loop's deleting the list by parts.
>
> To preserve the old behavior of stopping the write midway, bail out of
> the loop after disabling summary collection.
>
> Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.")
> Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
Reviewed-by: Nathan Chancellor <natechancellor@xxxxxxxxx>
> ---
> fs/jffs2/summary.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
> index be7c8a6a5748..4fe64519870f 100644
> --- a/fs/jffs2/summary.c
> +++ b/fs/jffs2/summary.c
> @@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
> dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
> je16_to_cpu(temp->u.nodetype));
> jffs2_sum_disable_collecting(c->summary);
> + /* The above call removes the list, nothing more to do */
> + goto bail_rwcompat;
> } else {
> BUG(); /* unknown node in summary information */
> }
> @@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
>
> c->summary->sum_num--;
> }
> + bail_rwcompat:
>
> jffs2_sum_reset_collected(c->summary);
>
> --
> 2.27.0
>