Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 77226 Details for
Bug 119087
Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open (CVE-2005-3356)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
fix-double-decrement-in-sys_mq_open.patch (inc. git header)
fix-double-decrement-in-sys_mq_open.patch (text/plain), 3.71 KB, created by
kfm
on 2006-01-15 20:35:07 UTC
(
hide
)
Description:
fix-double-decrement-in-sys_mq_open.patch (inc. git header)
Filename:
MIME Type:
Creator:
kfm
Created:
2006-01-15 20:35:07 UTC
Size:
3.71 KB
patch
obsolete
>From: Alexander Viro <aviro@redhat.com> >Date: Sat, 14 Jan 2006 20:29:55 +0000 (-0500) >Subject: [PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open >X-Git-Url: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6 > >[PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open > >Fixed the refcounting on failure exits in sys_mq_open() and >cleaned the logics up. Rules are actually pretty simple - dentry_open() >expects vfsmount and dentry to be pinned down and it either transfers >them into created struct file or drops them. Old code had been very >confused in that area - if dentry_open() had failed either in do_open() >or do_create(), we ended up dentry and mqueue_mnt dropped twice, once >by dentry_open() cleanup and then by sys_mq_open(). > >Fix consists of making the rules for do_create() and do_open() >same as for dentry_open() and updating the sys_mq_open() accordingly; >that actually leads to more straightforward code and less work on >normal path. > >Signed-off-by: Al Viro <aviro@redhat.com> >Signed-off-by: Linus Torvalds <torvalds@osdl.org> >--- > >--- linux-2.6.14.orig/ipc/mqueue.c.orig 2006-01-16 04:24:50.000000000 +0000 >+++ linux-2.6.14/ipc/mqueue.c 2006-01-16 04:25:15.000000000 +0000 >@@ -599,15 +599,16 @@ > static struct file *do_create(struct dentry *dir, struct dentry *dentry, > int oflag, mode_t mode, struct mq_attr __user *u_attr) > { >- struct file *filp; > struct mq_attr attr; > int ret; > >- if (u_attr != NULL) { >+ if (u_attr) { >+ ret = -EFAULT; > if (copy_from_user(&attr, u_attr, sizeof(attr))) >- return ERR_PTR(-EFAULT); >+ goto out; >+ ret = -EINVAL; > if (!mq_attr_ok(&attr)) >- return ERR_PTR(-EINVAL); >+ goto out; > /* store for use during create */ > dentry->d_fsdata = &attr; > } >@@ -616,13 +617,14 @@ > ret = vfs_create(dir->d_inode, dentry, mode, NULL); > dentry->d_fsdata = NULL; > if (ret) >- return ERR_PTR(ret); >+ goto out; > >- filp = dentry_open(dentry, mqueue_mnt, oflag); >- if (!IS_ERR(filp)) >- dget(dentry); >+ return dentry_open(dentry, mqueue_mnt, oflag); > >- return filp; >+out: >+ dput(dentry); >+ mntput(mqueue_mnt); >+ return ERR_PTR(ret); > } > > /* Opens existing queue */ >@@ -630,20 +632,20 @@ > { > static int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE, > MAY_READ | MAY_WRITE }; >- struct file *filp; > >- if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) >+ if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY)) { >+ dput(dentry); >+ mntput(mqueue_mnt); > return ERR_PTR(-EINVAL); >+ } > >- if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) >+ if (permission(dentry->d_inode, oflag2acc[oflag & O_ACCMODE], NULL)) { >+ dput(dentry); >+ mntput(mqueue_mnt); > return ERR_PTR(-EACCES); >+ } > >- filp = dentry_open(dentry, mqueue_mnt, oflag); >- >- if (!IS_ERR(filp)) >- dget(dentry); >- >- return filp; >+ return dentry_open(dentry, mqueue_mnt, oflag); > } > > asmlinkage long sys_mq_open(const char __user *u_name, int oflag, mode_t mode, >@@ -671,17 +673,20 @@ > > if (oflag & O_CREAT) { > if (dentry->d_inode) { /* entry already exists */ >- filp = (oflag & O_EXCL) ? ERR_PTR(-EEXIST) : >- do_open(dentry, oflag); >+ error = -EEXIST; >+ if (oflag & O_EXCL) >+ goto out; >+ filp = do_open(dentry, oflag); > } else { > filp = do_create(mqueue_mnt->mnt_root, dentry, > oflag, mode, u_attr); > } >- } else >- filp = (dentry->d_inode) ? do_open(dentry, oflag) : >- ERR_PTR(-ENOENT); >- >- dput(dentry); >+ } else { >+ error = -ENOENT; >+ if (!dentry->d_inode) >+ goto out; >+ filp = do_open(dentry, oflag); >+ } > > if (IS_ERR(filp)) { > error = PTR_ERR(filp); >@@ -692,8 +697,10 @@ > fd_install(fd, filp); > goto out_upsem; > >-out_putfd: >+out: >+ dput(dentry); > mntput(mqueue_mnt); >+out_putfd: > put_unused_fd(fd); > out_err: > fd = error;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=77226">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 119087
:
77224
| 77226
