/[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r10/0131-2.6.16.16-fix-lease_init-CVE-2006-1860.patch |
Contents of /trunk/kernel26-magellan/patches-2.6.16-r10/0131-2.6.16.16-fix-lease_init-CVE-2006-1860.patch
Parent Directory | Revision Log
Revision 70 -
(show annotations)
(download)
Thu May 11 19:09:22 2006 UTC (18 years, 4 months ago) by niro
File size: 2202 byte(s)
Thu May 11 19:09:22 2006 UTC (18 years, 4 months ago) by niro
File size: 2202 byte(s)
import
1 | From: Trond Myklebust <Trond.Myklebust@netapp.com> |
2 | Date: Mon, 8 May 2006 03:02:42 +0000 (-0400) |
3 | Subject: [PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860) |
4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1f0e637c94a9b041833947c79110d6c02fff8618 |
5 | |
6 | [PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860) |
7 | |
8 | It is insane to be giving lease_init() the task of freeing the lock it is |
9 | supposed to initialise, given that the lock is not guaranteed to be |
10 | allocated on the stack. This causes lockups in fcntl_setlease(). |
11 | Problem diagnosed by Daniel Hokka Zakrisson <daniel@hozac.com> |
12 | |
13 | Also fix a slab leak in __setlease() due to an uninitialised return value. |
14 | Problem diagnosed by Björn Steinbrink. |
15 | |
16 | Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> |
17 | Tested-by: Daniel Hokka Zakrisson <daniel@hozac.com> |
18 | Signed-off-by: Linus Torvalds <torvalds@osdl.org> |
19 | Cc: Björn Steinbrink <B.Steinbrink@gmx.de> |
20 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
21 | --- |
22 | |
23 | --- a/fs/locks.c |
24 | +++ b/fs/locks.c |
25 | @@ -432,15 +432,14 @@ static struct lock_manager_operations le |
26 | */ |
27 | static int lease_init(struct file *filp, int type, struct file_lock *fl) |
28 | { |
29 | + if (assign_type(fl, type) != 0) |
30 | + return -EINVAL; |
31 | + |
32 | fl->fl_owner = current->files; |
33 | fl->fl_pid = current->tgid; |
34 | |
35 | fl->fl_file = filp; |
36 | fl->fl_flags = FL_LEASE; |
37 | - if (assign_type(fl, type) != 0) { |
38 | - locks_free_lock(fl); |
39 | - return -EINVAL; |
40 | - } |
41 | fl->fl_start = 0; |
42 | fl->fl_end = OFFSET_MAX; |
43 | fl->fl_ops = NULL; |
44 | @@ -452,16 +451,19 @@ static int lease_init(struct file *filp, |
45 | static int lease_alloc(struct file *filp, int type, struct file_lock **flp) |
46 | { |
47 | struct file_lock *fl = locks_alloc_lock(); |
48 | - int error; |
49 | + int error = -ENOMEM; |
50 | |
51 | if (fl == NULL) |
52 | - return -ENOMEM; |
53 | + goto out; |
54 | |
55 | error = lease_init(filp, type, fl); |
56 | - if (error) |
57 | - return error; |
58 | + if (error) { |
59 | + locks_free_lock(fl); |
60 | + fl = NULL; |
61 | + } |
62 | +out: |
63 | *flp = fl; |
64 | - return 0; |
65 | + return error; |
66 | } |
67 | |
68 | /* Check if two locks overlap each other. |
69 | @@ -1337,6 +1339,7 @@ static int __setlease(struct file *filp, |
70 | goto out; |
71 | |
72 | if (my_before != NULL) { |
73 | + *flp = *my_before; |
74 | error = lease->fl_lmops->fl_change(my_before, arg); |
75 | goto out; |
76 | } |