From e28d82512742b65c9d44273df614dceff5fb9a34 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 30 Apr 2023 06:57:49 +0900 Subject: sd-journal: fix use-after-free As commented in the code, we need to replace the pointer to the key, hence, hashmap_replace() must be used, instead of hashmap_update(). Fixes #27459. --- src/libsystemd/sd-journal/sd-journal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libsystemd') diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c index b0194e875c..d5561c9a46 100644 --- a/src/libsystemd/sd-journal/sd-journal.c +++ b/src/libsystemd/sd-journal/sd-journal.c @@ -2304,7 +2304,7 @@ static void journal_file_unlink_newest_by_bood_id(sd_journal *j, JournalFile *f) /* There's still a member in the prioq? Then make sure the hashmap key now points to its * .newest_boot_id field (and not ours!). Not we only replace the memory of the key here, the * value of the key (and the data associated with it) remain the same. */ - assert_se(hashmap_update(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0); + assert_se(hashmap_replace(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0); else { assert_se(hashmap_remove(j->newest_by_boot_id, &f->newest_boot_id) == p); prioq_free(p); -- cgit v1.2.1