Message ID | 1334911103-3072-1-git-send-email-stefan.bader@canonical.com |
---|---|
State | New |
Headers | show |
On Fri, Apr 20, 2012 at 10:38:23AM +0200, Stefan Bader wrote: > A flaw was discovered in the Linux kernel's cifs file system. An > unprivileged local user could exploit this flaw to crash the system leading > to a denial of service. > > I believe this was introduced somewhere in 2.6.30, so Hardy is not > affected. Fixes have reached Oneiric and Precise via upstream stable. > So proposing for Natty and the ti-omap4 branch there. > > -Stefan > > From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001 > From: Jeff Layton <jlayton@redhat.com> > Date: Thu, 23 Feb 2012 09:37:45 -0500 > Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup > > The cifs code will attempt to open files on lookup under certain > circumstances. What happens though if we find that the file we opened > was actually a FIFO or other special file? > > Currently, the open filehandle just ends up being leaked leading to > a dentry refcount mismatch and oops on umount. Fix this by having the > code close the filehandle on the server if it turns out not to be a > regular file. While we're at it, change this spaghetti if statement > into a switch too. > > Cc: stable@vger.kernel.org > Reported-by: CAI Qian <caiqian@redhat.com> > Tested-by: CAI Qian <caiqian@redhat.com> > Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> > Signed-off-by: Jeff Layton <jlayton@redhat.com> > Signed-off-by: Steve French <smfrench@gmail.com> > > BugLink: http://bugs.launchpad.net/bugs/947997 > CVE-2012-1090 > > (cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/cifs/dir.c | 20 ++++++++++++++++++-- > 1 file changed, 18 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c > index dd5f229..625c53d 100644 > --- a/fs/cifs/dir.c > +++ b/fs/cifs/dir.c > @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry, > * If either that or op not supported returned, follow > * the normal lookup. > */ > - if ((rc == 0) || (rc == -ENOENT)) > + switch (rc) { > + case 0: > + /* > + * The server may allow us to open things like > + * FIFOs, but the client isn't set up to deal > + * with that. If it's not a regular file, just > + * close it and proceed as if it were a normal > + * lookup. > + */ > + if (newInode && !S_ISREG(newInode->i_mode)) { > + CIFSSMBClose(xid, pTcon, fileHandle); > + break; > + } > + case -ENOENT: > posix_open = true; > - else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP)) > + case -EOPNOTSUPP: > + break; > + default: > pTcon->broken_posix_open = true; > + } > } > if (!posix_open) > rc = cifs_get_inode_info_unix(&newInode, full_path, > -- > 1.7.9.5 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 04/20/2012 01:38 AM, Stefan Bader wrote: > A flaw was discovered in the Linux kernel's cifs file system. An > unprivileged local user could exploit this flaw to crash the system leading > to a denial of service. > > I believe this was introduced somewhere in 2.6.30, so Hardy is not > affected. Fixes have reached Oneiric and Precise via upstream stable. > So proposing for Natty and the ti-omap4 branch there. > > -Stefan > > From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001 > From: Jeff Layton<jlayton@redhat.com> > Date: Thu, 23 Feb 2012 09:37:45 -0500 > Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup > > The cifs code will attempt to open files on lookup under certain > circumstances. What happens though if we find that the file we opened > was actually a FIFO or other special file? > > Currently, the open filehandle just ends up being leaked leading to > a dentry refcount mismatch and oops on umount. Fix this by having the > code close the filehandle on the server if it turns out not to be a > regular file. While we're at it, change this spaghetti if statement > into a switch too. > > Cc: stable@vger.kernel.org > Reported-by: CAI Qian<caiqian@redhat.com> > Tested-by: CAI Qian<caiqian@redhat.com> > Reviewed-by: Shirish Pargaonkar<shirishpargaonkar@gmail.com> > Signed-off-by: Jeff Layton<jlayton@redhat.com> > Signed-off-by: Steve French<smfrench@gmail.com> > > BugLink: http://bugs.launchpad.net/bugs/947997 > CVE-2012-1090 > > (cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream) > Signed-off-by: Stefan Bader<stefan.bader@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > fs/cifs/dir.c | 20 ++++++++++++++++++-- > 1 file changed, 18 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c > index dd5f229..625c53d 100644 > --- a/fs/cifs/dir.c > +++ b/fs/cifs/dir.c > @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry, > * If either that or op not supported returned, follow > * the normal lookup. > */ > - if ((rc == 0) || (rc == -ENOENT)) > + switch (rc) { > + case 0: > + /* > + * The server may allow us to open things like > + * FIFOs, but the client isn't set up to deal > + * with that. If it's not a regular file, just > + * close it and proceed as if it were a normal > + * lookup. > + */ > + if (newInode&& !S_ISREG(newInode->i_mode)) { > + CIFSSMBClose(xid, pTcon, fileHandle); > + break; > + } > + case -ENOENT: > posix_open = true; > - else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP)) > + case -EOPNOTSUPP: > + break; > + default: > pTcon->broken_posix_open = true; > + } > } > if (!posix_open) > rc = cifs_get_inode_info_unix(&newInode, full_path,
Applied to Natty master-next and ti-omap4
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c index dd5f229..625c53d 100644 --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry, * If either that or op not supported returned, follow * the normal lookup. */ - if ((rc == 0) || (rc == -ENOENT)) + switch (rc) { + case 0: + /* + * The server may allow us to open things like + * FIFOs, but the client isn't set up to deal + * with that. If it's not a regular file, just + * close it and proceed as if it were a normal + * lookup. + */ + if (newInode && !S_ISREG(newInode->i_mode)) { + CIFSSMBClose(xid, pTcon, fileHandle); + break; + } + case -ENOENT: posix_open = true; - else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP)) + case -EOPNOTSUPP: + break; + default: pTcon->broken_posix_open = true; + } } if (!posix_open) rc = cifs_get_inode_info_unix(&newInode, full_path,