CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)

2012-02-28 14:14:22 -06:00 · 2012-02-28 14:14:22 -06:00 · 4d8a6ac05d
commit 4d8a6ac05d
parent e0d8aaf397
2 changed files with 70 additions and 0 deletions
--- a/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
+++ b/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
@ -0,0 +1,61 @@
+From 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable@vger.kernel.org
+Reported-by: CAI Qian <caiqian@redhat.com>
+Tested-by: CAI Qian <caiqian@redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+---
+ fs/cifs/dir.c |   20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e244 100644
+--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ 			 * If either that or op not supported returned, follow
+ 			 * the normal lookup.
+ 			 */
+-			if ((rc == 0) || (rc == -ENOENT))
+			switch (rc) {
+			case 0:
+				/*
+				 * The server may allow us to open things like
+				 * FIFOs, but the client isn't set up to deal
+				 * with that. If it's not a regular file, just
+				 * close it and proceed as if it were a normal
+				 * lookup.
+				 */
+				if (newInode && !S_ISREG(newInode->i_mode)) {
+					CIFSSMBClose(xid, pTcon, fileHandle);
+					break;
+				}
+			case -ENOENT:
+ 				posix_open = true;
+-			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
+			case -EOPNOTSUPP:
+				break;
+			default:
+ 				pTcon->broken_posix_open = true;
+			}
+ 		}
+ 		if (!posix_open)
+ 			rc = cifs_get_inode_info_unix(&newInode, full_path,
+-- 
+1.7.0.4
+
--- a/kernel.spec
+++ b/kernel.spec
@ -774,6 +774,9 @@ Patch21280: ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch
 #rhbz 727865 730007
 Patch21300: ACPICA-Fix-regression-in-FADT-revision-checks.patch

+#rhbz 798296
+Patch21301: cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
+
 # compat-wireless patches
 Patch50000: compat-wireless-config-fixups.patch
 Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch
@ -1493,6 +1496,9 @@ ApplyPatch ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch
 #rhbz 727865 730007
 ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch

+#rhbz 798296
+ApplyPatch cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2364,6 +2370,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Feb 28 2012 Justin M. Forbes <jforbes@redhat.com> 
+- CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
+
 * Tue Feb 28 2012 Dave Jones <davej@redhat.com> - 3.3.0-0.rc5.git2.1
 - Linux v3.3-rc5-88-g586c6e7