There is a NULL pointer dereference possible that was introduced in the
last round of modifications to the demotion code before merging.
current->mm should be checked for existence before it is dereferenced to
check the value of the mm_users field. This patch fixes all instances
of this bug.
Signed-off-by: Kylene Hall <[email protected]>
---
security/slim/slm_main.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
--- linux-2.6.18-rc6-orig/security/slim/slm_main.c 2006-09-18 16:41:51.000000000 -0500
+++ linux-2.6.18-rc6/security/slim/slm_main.c 2006-09-22 13:58:35.000000000 -0500
@@ -529,7 +519,7 @@ static int enforce_integrity_read(struct
spin_lock(&cur_tsec->lock);
if (!is_iac_less_than_or_exempt(level, cur_tsec->iac_r)) {
rc = has_file_wperm(level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE, "ppid %d(%s p=%d-%s) "
@@ -1100,7 +1092,7 @@ int slm_socket_create(int family, int ty
memset(&level, 0, sizeof(struct slm_file_xattr));
level.iac_level = SLM_IAC_UNTRUSTED;
rc = has_file_wperm(&level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,
@@ -1306,7 +1298,7 @@ static int enforce_integrity_execute(str
cur_tsec->iac_r = cur_tsec->iac_wx;
} else {
rc = has_file_wperm(level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]