-stable review patch. If anyone has any objections, please let us know.
------------------
This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms
I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.
The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.
Signed-Off-By: Kirill Korotaev <[email protected]>
Signed-Off-By: Maxim Giryaev <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
fs/compat_ioctl.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
Index: linux-2.6.13.y/fs/compat_ioctl.c
===================================================================
--- linux-2.6.13.y.orig/fs/compat_ioctl.c
+++ linux-2.6.13.y/fs/compat_ioctl.c
@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
r = (void *) &r4;
}
- if (ret)
- return -EFAULT;
+ if (ret) {
+ ret = -EFAULT;
+ goto out;
+ }
set_fs (KERNEL_DS);
ret = sys_ioctl (fd, cmd, (unsigned long) r);
set_fs (old_fs);
+out:
if (mysock)
sockfd_put(mysock);
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
| |
 |