| Message ID | 1412112589-26896-1-git-send-email-kamal@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/lib/assoc_array.c b/lib/assoc_array.c index 76ae279..f9524b8 100644 --- a/lib/assoc_array.c +++ b/lib/assoc_array.c @@ -1737,7 +1737,7 @@ ascend_old_tree: gc_complete: edit->set[0].to = new_root; assoc_array_apply_edit(edit); - edit->array->nr_leaves_on_tree = nr_leaves_on_tree; + array->nr_leaves_on_tree = nr_leaves_on_tree; return 0; enomem:
This is a note to let you know that I have just added a patch titled KEYS: Fix use-after-free in assoc_array_gc() to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue This patch is scheduled to be released in version 3.13.11.8. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.13.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From 64ce976f814fa1134b39255f38c80a9a54e9e537 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Tue, 2 Sep 2014 13:52:20 +0100 Subject: KEYS: Fix use-after-free in assoc_array_gc() commit 27419604f51a97d497853f14142c1059d46eb597 upstream. An edit script should be considered inaccessible by a function once it has called assoc_array_apply_edit() or assoc_array_cancel_edit(). However, assoc_array_gc() is accessing the edit script just after the gc_complete: label. Reported-by: Andreea-Cristina Bernat <bernat.ada@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Andreea-Cristina Bernat <bernat.ada@gmail.com> cc: shemming@brocade.com cc: paulmck@linux.vnet.ibm.com Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com> --- lib/assoc_array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.9.1