[CVE-2012-1090] natty, natty/ti-omap4

Stefan Bader stefan.bader at canonical.com
Fri Apr 20 08:38:23 UTC 2012

A flaw was discovered in the Linux kernel's cifs file system. An
unprivileged local user could exploit this flaw to crash the system leading
to a denial of service.

I believe this was introduced somewhere in 2.6.30, so Hardy is not
affected. Fixes have reached Oneiric and Precise via upstream stable.
So proposing for Natty and the ti-omap4 branch there.


>From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton at redhat.com>
Date: Thu, 23 Feb 2012 09:37:45 -0500
Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup

The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file?

Currently, the open filehandle just ends up being leaked leading to
a dentry refcount mismatch and oops on umount. Fix this by having the
code close the filehandle on the server if it turns out not to be a
regular file. While we're at it, change this spaghetti if statement
into a switch too.

Cc: stable at vger.kernel.org
Reported-by: CAI Qian <caiqian at redhat.com>
Tested-by: CAI Qian <caiqian at redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <smfrench at gmail.com>

BugLink: http://bugs.launchpad.net/bugs/947997

(cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream)
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
 fs/cifs/dir.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index dd5f229..625c53d 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
 			 * If either that or op not supported returned, follow
 			 * the normal lookup.
-			if ((rc == 0) || (rc == -ENOENT))
+			switch (rc) {
+			case 0:
+				/*
+				 * The server may allow us to open things like
+				 * FIFOs, but the client isn't set up to deal
+				 * with that. If it's not a regular file, just
+				 * close it and proceed as if it were a normal
+				 * lookup.
+				 */
+				if (newInode && !S_ISREG(newInode->i_mode)) {
+					CIFSSMBClose(xid, pTcon, fileHandle);
+					break;
+				}
+			case -ENOENT:
 				posix_open = true;
-			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
+			case -EOPNOTSUPP:
+				break;
+			default:
 				pTcon->broken_posix_open = true;
+			}
 		if (!posix_open)
 			rc = cifs_get_inode_info_unix(&newInode, full_path,

More information about the kernel-team mailing list