Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 104641 Details for
Bug 158786
Kernel: SELinux superblock_doinit denial of service (CVE-2006-6056)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
1915_hfs-root-inode.patch (text/plain), 1.90 KB, created by
Daniel Drake (RETIRED)
on 2006-12-23 08:41:34 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Daniel Drake (RETIRED)
Created:
2006-12-23 08:41:34 UTC
Size:
1.90 KB
patch
obsolete
>From: Eric Sandeen <sandeen@redhat.com> >Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800) >Subject: [PATCH] hfs_fill_super returns success even if no root inode >X-Git-Tag: v2.6.19 >X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22 > >[PATCH] hfs_fill_super returns success even if no root inode > >http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html > >mount that image... >fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only. >hfs: get root inode failed. >BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 > printing eip >... >EIP is at superblock_doinit+0x21/0x767 >... > [] selinux_sb_kern_mount+0xc/0x4b > [] vfs_kern_mount+0x99/0xf6 > [] do_kern_mount+0x2d/0x3e > [] do_mount+0x5fa/0x66d > [] sys_mount+0x77/0xae > [] syscall_call+0x7/0xb >DWARF2 unwinder stuck at syscall_call+0x7/0xb > >hfs_fill_super() returns success even if > root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); >or > sb->s_root = d_alloc_root(root_inode); > >fails. This superblock finds its way to superblock_doinit() which does: > > struct dentry *root = sb->s_root; > struct inode *inode = root->d_inode; > >and boom. Need to make sure the error cases return an error, I think. > >[akpm@osdl.org: return -ENOMEM on oom] >Signed-off-by: Eric Sandeen <sandeen@redhat.com> >Cc: Roman Zippel <zippel@linux-m68k.org> >Signed-off-by: Andrew Morton <akpm@osdl.org> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > >--- a/fs/hfs/super.c >+++ b/fs/hfs/super.c >@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_b > hfs_find_exit(&fd); > goto bail_no_root; > } >+ res = -EINVAL; > root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); > hfs_find_exit(&fd); > if (!root_inode) > goto bail_no_root; > >+ res = -ENOMEM; > sb->s_root = d_alloc_root(root_inode); > if (!sb->s_root) > goto bail_iput;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=104641">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 158786
: 104641
