ovl: fix possible use after free on redirect dir lookup
authorAmir Goldstein <amir73il@gmail.com>
Wed, 18 Jan 2017 14:19:54 +0000 (15:19 +0100)
committerMiklos Szeredi <mszeredi@redhat.com>
Wed, 18 Jan 2017 14:19:54 +0000 (15:19 +0100)
commit4c7d0c9cb713a28b133b265d595de2a93ee09712
treec240721d9ca9339d3bebb3a4bf62112ffb36740e
parent49def1853334396f948dcb4cedb9347abb318df5
ovl: fix possible use after free on redirect dir lookup

ovl_lookup_layer() iterates on path elements of d->name.name
but also frees and allocates a new pointer for d->name.name.

For the case of lookup in upper layer, the initial d->name.name
pointer is stable (dentry->d_name), but for lower layers, the
initial d->name.name can be d->redirect, which can be freed during
iteration.

[SzM]
Keep the count of remaining characters in the redirect path and calculate
the current position from that.  This works becuase only the prefix is
modified, the ending always stays the same.

Fixes: 02b69b284cd7 ("ovl: lookup redirects")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
fs/overlayfs/namei.c