CVE-2019-13105: ext4: fix double-free in ext4_cache_read ext_cache_read doesn't null cache->buf, after freeing, which results in a later function double-freeing it. This patch fixes ext_cache_read to call ext_cache_fini instead of free. Signed-off-by: Paul Emge <paulemge@forallsecure.com>

commit: 955dbbc60825f0e60b44231d6e95003562ef1c3a [log] [tgz]
author: Paul Emge <paulemge@forallsecure.com> Mon Jul 08 16:37:04 2019 -0700
committer: Tom Rini <trini@konsulko.com> Thu Jul 18 11:31:28 2019 -0400
tree: 29fae8aea17e98fed0adbf28815066e5c2594db0
parent: 614941291533198fd6efb8665b9243fbf946fd69 [diff] [blame]
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 26db677..85dc122 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c

@@ -286,7 +286,7 @@
 	if (!cache->buf)
 		return 0;
 	if (!ext4fs_devread(block, 0, size, cache->buf)) {
-		free(cache->buf);
+		ext_cache_fini(cache);
 		return 0;
 	}
 	cache->block = block;
commit	955dbbc60825f0e60b44231d6e95003562ef1c3a	[log] [tgz]
author	Paul Emge <paulemge@forallsecure.com>	Mon Jul 08 16:37:04 2019 -0700
committer	Tom Rini <trini@konsulko.com>	Thu Jul 18 11:31:28 2019 -0400
tree	29fae8aea17e98fed0adbf28815066e5c2594db0
parent	614941291533198fd6efb8665b9243fbf946fd69 [diff] [blame]