From 4d8a6ac05d0572e8c9705e8670e1fd52efa49e76 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 28 Feb 2012 14:14:22 -0600 Subject: [PATCH] CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296) --- ...ry-refcount-leak-when-opening-a-FIFO.patch | 61 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 70 insertions(+) create mode 100644 cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch diff --git a/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch b/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch new file mode 100644 index 000000000..9fd87acac --- /dev/null +++ b/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch @@ -0,0 +1,61 @@ +From 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 23 Feb 2012 09:37:45 -0500 +Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup + +The cifs code will attempt to open files on lookup under certain +circumstances. What happens though if we find that the file we opened +was actually a FIFO or other special file? + +Currently, the open filehandle just ends up being leaked leading to +a dentry refcount mismatch and oops on umount. Fix this by having the +code close the filehandle on the server if it turns out not to be a +regular file. While we're at it, change this spaghetti if statement +into a switch too. + +Cc: stable@vger.kernel.org +Reported-by: CAI Qian +Tested-by: CAI Qian +Reviewed-by: Shirish Pargaonkar +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +--- + fs/cifs/dir.c | 20 ++++++++++++++++++-- + 1 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c +index 63a196b..bc7e244 100644 +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry, + * If either that or op not supported returned, follow + * the normal lookup. + */ +- if ((rc == 0) || (rc == -ENOENT)) ++ switch (rc) { ++ case 0: ++ /* ++ * The server may allow us to open things like ++ * FIFOs, but the client isn't set up to deal ++ * with that. If it's not a regular file, just ++ * close it and proceed as if it were a normal ++ * lookup. ++ */ ++ if (newInode && !S_ISREG(newInode->i_mode)) { ++ CIFSSMBClose(xid, pTcon, fileHandle); ++ break; ++ } ++ case -ENOENT: + posix_open = true; +- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP)) ++ case -EOPNOTSUPP: ++ break; ++ default: + pTcon->broken_posix_open = true; ++ } + } + if (!posix_open) + rc = cifs_get_inode_info_unix(&newInode, full_path, +-- +1.7.0.4 + diff --git a/kernel.spec b/kernel.spec index 2a6669744..feb8413a0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -774,6 +774,9 @@ Patch21280: ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch #rhbz 727865 730007 Patch21300: ACPICA-Fix-regression-in-FADT-revision-checks.patch +#rhbz 798296 +Patch21301: cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch + # compat-wireless patches Patch50000: compat-wireless-config-fixups.patch Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch @@ -1493,6 +1496,9 @@ ApplyPatch ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch #rhbz 727865 730007 ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch +#rhbz 798296 +ApplyPatch cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch + # END OF PATCH APPLICATIONS %endif @@ -2364,6 +2370,9 @@ fi # ||----w | # || || %changelog +* Tue Feb 28 2012 Justin M. Forbes +- CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296) + * Tue Feb 28 2012 Dave Jones - 3.3.0-0.rc5.git2.1 - Linux v3.3-rc5-88-g586c6e7