Ack: Re: [CVE-2012-1090] natty, natty/ti-omap4

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Fri Apr 20 13:26:53 UTC 2012 

On Fri, Apr 20, 2012 at 10:38:23AM +0200, Stefan Bader wrote:
> A flaw was discovered in the Linux kernel's cifs file system. An
> unprivileged local user could exploit this flaw to crash the system leading
> to a denial of service.
> 
> I believe this was introduced somewhere in 2.6.30, so Hardy is not
> affected. Fixes have reached Oneiric and Precise via upstream stable.
> So proposing for Natty and the ti-omap4 branch there.
> 
> -Stefan
> 
> From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001
> From: Jeff Layton <jlayton at redhat.com>
> Date: Thu, 23 Feb 2012 09:37:45 -0500
> Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
> 
> The cifs code will attempt to open files on lookup under certain
> circumstances. What happens though if we find that the file we opened
> was actually a FIFO or other special file?
> 
> Currently, the open filehandle just ends up being leaked leading to
> a dentry refcount mismatch and oops on umount. Fix this by having the
> code close the filehandle on the server if it turns out not to be a
> regular file. While we're at it, change this spaghetti if statement
> into a switch too.
> 
> Cc: stable at vger.kernel.org
> Reported-by: CAI Qian <caiqian at redhat.com>
> Tested-by: CAI Qian <caiqian at redhat.com>
> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
> Signed-off-by: Jeff Layton <jlayton at redhat.com>
> Signed-off-by: Steve French <smfrench at gmail.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/947997
> CVE-2012-1090
> 
> (cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  fs/cifs/dir.c |   20 ++++++++++++++++++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
> index dd5f229..625c53d 100644
> --- a/fs/cifs/dir.c
> +++ b/fs/cifs/dir.c
> @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
>  			 * If either that or op not supported returned, follow
>  			 * the normal lookup.
>  			 */
> -			if ((rc == 0) || (rc == -ENOENT))
> +			switch (rc) {
> +			case 0:
> +				/*
> +				 * The server may allow us to open things like
> +				 * FIFOs, but the client isn't set up to deal
> +				 * with that. If it's not a regular file, just
> +				 * close it and proceed as if it were a normal
> +				 * lookup.
> +				 */
> +				if (newInode && !S_ISREG(newInode->i_mode)) {
> +					CIFSSMBClose(xid, pTcon, fileHandle);
> +					break;
> +				}
> +			case -ENOENT:
>  				posix_open = true;
> -			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
> +			case -EOPNOTSUPP:
> +				break;
> +			default:
>  				pTcon->broken_posix_open = true;
> +			}
>  		}
>  		if (!posix_open)
>  			rc = cifs_get_inode_info_unix(&newInode, full_path,
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 

-- 
[]'s
Herton

More information about the kernel-team mailing list