linux/fs/overlayfs
Amir Goldstein 4c7d0c9cb7 ovl: fix possible use after free on redirect dir lookup
ovl_lookup_layer() iterates on path elements of d->name.name
but also frees and allocates a new pointer for d->name.name.

For the case of lookup in upper layer, the initial d->name.name
pointer is stable (dentry->d_name), but for lower layers, the
initial d->name.name can be d->redirect, which can be freed during
iteration.

[SzM]
Keep the count of remaining characters in the redirect path and calculate
the current position from that.  This works becuase only the prefix is
modified, the ending always stays the same.

Fixes: 02b69b284c ("ovl: lookup redirects")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-01-18 15:19:54 +01:00
..
copy_up.c Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs 2016-12-16 10:58:12 -08:00
dir.c ovl: clean up kstat usage 2016-12-16 11:02:57 +01:00
inode.c Merge uncontroversial parts of branch 'readlink' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs 2016-12-17 19:16:12 -08:00
Kconfig ovl: allow redirect_dir to default to "on" 2016-12-16 11:02:57 +01:00
Makefile ovl: split super.c 2016-12-16 11:02:56 +01:00
namei.c ovl: fix possible use after free on redirect dir lookup 2017-01-18 15:19:54 +01:00
overlayfs.h ovl: clean up kstat usage 2016-12-16 11:02:57 +01:00
ovl_entry.h ovl: redirect on rename-dir 2016-12-16 11:02:56 +01:00
readdir.c ovl: proper cleanup of workdir 2016-09-01 11:11:59 +02:00
super.c ovl: fix return value of ovl_fill_super 2016-12-16 11:02:57 +01:00
util.c ovl: opaque cleanup 2016-12-16 11:02:57 +01:00