Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1605b8471d64c855bc2493abf3adf6a1ebc3e645
Commit:     1605b8471d64c855bc2493abf3adf6a1ebc3e645
Parent:     f6259deacfd55607ae57cff422d3bc7694ea14e7
Author:     Herbert Xu <[EMAIL PROTECTED]>
AuthorDate: Wed May 9 13:04:39 2007 +1000
Committer:  Herbert Xu <[EMAIL PROTECTED]>
CommitDate: Wed May 9 13:04:39 2007 +1000

    [CRYPTO] cryptomgr: Fix use after free
    
    By the time kthread_run returns the param may have already been freed
    so writing the returned thread_struct pointer to param is wrong.
    
    In fact, we don't need it in param anyway so this patch simply puts it
    on the stack.
    
    Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>
---
 crypto/cryptomgr.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c
index 6958ea8..e5fb7cc 100644
--- a/crypto/cryptomgr.c
+++ b/crypto/cryptomgr.c
@@ -24,8 +24,6 @@
 #include "internal.h"
 
 struct cryptomgr_param {
-       struct task_struct *thread;
-
        struct rtattr *tb[CRYPTOA_MAX];
 
        struct {
@@ -81,6 +79,7 @@ err:
 
 static int cryptomgr_schedule_probe(struct crypto_larval *larval)
 {
+       struct task_struct *thread;
        struct cryptomgr_param *param;
        const char *name = larval->alg.cra_name;
        const char *p;
@@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval 
*larval)
 
        memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME);
 
-       param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
-       if (IS_ERR(param->thread))
+       thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
+       if (IS_ERR(thread))
                goto err_free_param;
 
        return NOTIFY_STOP;
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to