[maverick/ti-omap4 CVE 1/1] inotify: stop kernel memory leak on file creation failure

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Mon Jan 30 12:06:02 UTC 2012


On Mon, Jan 30, 2012 at 09:51:29AM +0000, Andy Whitcroft wrote:
> From: Eric Paris <eparis at redhat.com>
> 
> If inotify_init is unable to allocate a new file for the new inotify
> group we leak the new group.  This patch drops the reference on the
> group on file allocation failure.
> 
> Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
> cc: stable at kernel.org
> Signed-off-by: Eric Paris <eparis at redhat.com>
> 
> (cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab)
> CVE-2010-4250
> BugLink: http://bugs.launchpad.net/bugs/917797
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
>  fs/notify/inotify/inotify_user.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index e46ca68..e295eee 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags)
>  	if (ret >= 0)
>  		return ret;
>  
> +	fsnotify_put_group(group);
>  	atomic_dec(&user->inotify_devs);
>  out_free_uid:
>  	free_uid(user);
> -- 
> 1.7.5.4

There is a fix for this change, which seems to introduce a regression.
See commit d0de4dc584ec6aa3b26fffea320a8457827768fc

-- 
[]'s
Herton



More information about the kernel-team mailing list