漏洞链接
https://nvd.nist.gov/vuln/detail/CVE-2015-8961
patch链接
漏洞分析
漏洞描述
There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we’re referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle.
patch
jbd2_journal_stop():free handle指向的内存,handle变为悬挂指针,但是下面依然有对handle的使用:handle->h_err,所以会发生use-after-free。
patch方法
改变use和free的顺序,两个步骤:
1、把handle->h_err移到free的前面
2、删除在free之后对handle的解引用