Message ID | 1327917089-29562-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 30.01.2012 10:51, Andy Whitcroft wrote: > From: Eric Paris <eparis@redhat.com> > > If inotify_init is unable to allocate a new file for the new inotify > group we leak the new group. This patch drops the reference on the > group on file allocation failure. > > Reported-by: Vegard Nossum <vegard.nossum@gmail.com> > cc: stable@kernel.org > Signed-off-by: Eric Paris <eparis@redhat.com> > > (cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab) > CVE-2010-4250 > BugLink: http://bugs.launchpad.net/bugs/917797 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/notify/inotify/inotify_user.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c > index e46ca68..e295eee 100644 > --- a/fs/notify/inotify/inotify_user.c > +++ b/fs/notify/inotify/inotify_user.c > @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) > if (ret >= 0) > return ret; > > + fsnotify_put_group(group); > atomic_dec(&user->inotify_devs); > out_free_uid: > free_uid(user); Looks reasonable, cherry-picked too... Acked-by: Stefan Bader <smb@canonical.com>
On Mon, Jan 30, 2012 at 09:51:29AM +0000, Andy Whitcroft wrote: > From: Eric Paris <eparis@redhat.com> > > If inotify_init is unable to allocate a new file for the new inotify > group we leak the new group. This patch drops the reference on the > group on file allocation failure. > > Reported-by: Vegard Nossum <vegard.nossum@gmail.com> > cc: stable@kernel.org > Signed-off-by: Eric Paris <eparis@redhat.com> > > (cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab) > CVE-2010-4250 > BugLink: http://bugs.launchpad.net/bugs/917797 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/notify/inotify/inotify_user.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c > index e46ca68..e295eee 100644 > --- a/fs/notify/inotify/inotify_user.c > +++ b/fs/notify/inotify/inotify_user.c > @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) > if (ret >= 0) > return ret; > > + fsnotify_put_group(group); > atomic_dec(&user->inotify_devs); > out_free_uid: > free_uid(user); > -- > 1.7.5.4 There is a fix for this change, which seems to introduce a regression. See commit d0de4dc584ec6aa3b26fffea320a8457827768fc
On 01/30/2012 05:06 AM, Herton Ronaldo Krzesinski wrote: > > There is a fix for this change, which seems to introduce a regression. > See commit d0de4dc584ec6aa3b26fffea320a8457827768fc > Applied both. Isn't Maverick/ti-omap4 a rebase kernel ? Why wasn't d0de4dc584ec6aa3b26fffea320a8457827768fc picked up as a stable patch? rtg
On Mon, Jan 30, 2012 at 06:55:36AM -0700, Tim Gardner wrote: > On 01/30/2012 05:06 AM, Herton Ronaldo Krzesinski wrote: > > > >There is a fix for this change, which seems to introduce a regression. > >See commit d0de4dc584ec6aa3b26fffea320a8457827768fc > > > > Applied both. Isn't Maverick/ti-omap4 a rebase kernel ? Why wasn't > d0de4dc584ec6aa3b26fffea320a8457827768fc picked up as a stable > patch? No, it isn't one of rebasable branches. About stable, I don't know, may be because was marked stable only for 2.6.37+ > > rtg > -- > Tim Gardner tim.gardner@canonical.com >
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c index e46ca68..e295eee 100644 --- a/fs/notify/inotify/inotify_user.c +++ b/fs/notify/inotify/inotify_user.c @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) if (ret >= 0) return ret; + fsnotify_put_group(group); atomic_dec(&user->inotify_devs); out_free_uid: free_uid(user);