CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
This commit is contained in:
Justin M. Forbes
parent
c675e2db6b
commit
c15034c210
|
|
@ -0,0 +1,61 @@
|
|||
From 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Layton <jlayton@redhat.com>
|
||||
Date: Thu, 23 Feb 2012 09:37:45 -0500
|
||||
Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
|
||||
|
||||
The cifs code will attempt to open files on lookup under certain
|
||||
circumstances. What happens though if we find that the file we opened
|
||||
was actually a FIFO or other special file?
|
||||
|
||||
Currently, the open filehandle just ends up being leaked leading to
|
||||
a dentry refcount mismatch and oops on umount. Fix this by having the
|
||||
code close the filehandle on the server if it turns out not to be a
|
||||
regular file. While we're at it, change this spaghetti if statement
|
||||
into a switch too.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: CAI Qian <caiqian@redhat.com>
|
||||
Tested-by: CAI Qian <caiqian@redhat.com>
|
||||
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
|
||||
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
||||
Signed-off-by: Steve French <smfrench@gmail.com>
|
||||
---
|
||||
fs/cifs/dir.c | 20 ++++++++++++++++++--
|
||||
1 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
|
||||
index 63a196b..bc7e244 100644
|
||||
--- a/fs/cifs/dir.c
|
||||
+++ b/fs/cifs/dir.c
|
||||
@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
|
||||
* If either that or op not supported returned, follow
|
||||
* the normal lookup.
|
||||
*/
|
||||
- if ((rc == 0) || (rc == -ENOENT))
|
||||
+ switch (rc) {
|
||||
+ case 0:
|
||||
+ /*
|
||||
+ * The server may allow us to open things like
|
||||
+ * FIFOs, but the client isn't set up to deal
|
||||
+ * with that. If it's not a regular file, just
|
||||
+ * close it and proceed as if it were a normal
|
||||
+ * lookup.
|
||||
+ */
|
||||
+ if (newInode && !S_ISREG(newInode->i_mode)) {
|
||||
+ CIFSSMBClose(xid, pTcon, fileHandle);
|
||||
+ break;
|
||||
+ }
|
||||
+ case -ENOENT:
|
||||
posix_open = true;
|
||||
- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
|
||||
+ case -EOPNOTSUPP:
|
||||
+ break;
|
||||
+ default:
|
||||
pTcon->broken_posix_open = true;
|
||||
+ }
|
||||
}
|
||||
if (!posix_open)
|
||||
rc = cifs_get_inode_info_unix(&newInode, full_path,
|
||||
--
|
||||
1.7.0.4
|
||||
|
||||
|
|
@ -774,6 +774,9 @@ Patch21290: ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch
|
|||
#rhbz 727865 730007
|
||||
Patch21300: ACPICA-Fix-regression-in-FADT-revision-checks.patch
|
||||
|
||||
#rhbz 798296
|
||||
Patch21301: cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
|
||||
|
||||
# compat-wireless patches
|
||||
Patch50000: compat-wireless-config-fixups.patch
|
||||
Patch50001: compat-wireless-pr_fmt-warning-avoidance.patch
|
||||
|
|
@ -1493,6 +1496,9 @@ ApplyPatch ums_realtek-do-not-use-stack-memory-for-DMA-in-__do_.patch
|
|||
#rhbz 727865 730007
|
||||
ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch
|
||||
|
||||
#rhbz 798296
|
||||
ApplyPatch cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2374,6 +2380,9 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Tue Feb 28 2012 Justin M. Forbes <jforbes@redhat.com>
|
||||
- CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
|
||||
|
||||
* Tue Feb 28 2012 Dave Jones <davej@redhat.com> - 3.3.0-0.rc5.git2.1
|
||||
- Linux v3.3-rc5-88-g586c6e7
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue