/[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0131-2.6.16.16-fix-lease_init-CVE-2006-1860.patch |
Annotation of /trunk/kernel26-magellan/patches-2.6.16-r12/0131-2.6.16.16-fix-lease_init-CVE-2006-1860.patch
Parent Directory | Revision Log
Revision 72 -
(hide annotations)
(download)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2202 byte(s)
Mon Jun 5 09:25:38 2006 UTC (18 years, 3 months ago) by niro
File size: 2202 byte(s)
ver bump to 2.6.16-r12: - updated to linux-2.6.16.19 - updated to ck11
1 | niro | 72 | From: Trond Myklebust <Trond.Myklebust@netapp.com> |
2 | Date: Mon, 8 May 2006 03:02:42 +0000 (-0400) | ||
3 | Subject: [PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860) | ||
4 | X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=1f0e637c94a9b041833947c79110d6c02fff8618 | ||
5 | |||
6 | [PATCH] fs/locks.c: Fix lease_init (CVE-2006-1860) | ||
7 | |||
8 | It is insane to be giving lease_init() the task of freeing the lock it is | ||
9 | supposed to initialise, given that the lock is not guaranteed to be | ||
10 | allocated on the stack. This causes lockups in fcntl_setlease(). | ||
11 | Problem diagnosed by Daniel Hokka Zakrisson <daniel@hozac.com> | ||
12 | |||
13 | Also fix a slab leak in __setlease() due to an uninitialised return value. | ||
14 | Problem diagnosed by Björn Steinbrink. | ||
15 | |||
16 | Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> | ||
17 | Tested-by: Daniel Hokka Zakrisson <daniel@hozac.com> | ||
18 | Signed-off-by: Linus Torvalds <torvalds@osdl.org> | ||
19 | Cc: Björn Steinbrink <B.Steinbrink@gmx.de> | ||
20 | Signed-off-by: Chris Wright <chrisw@sous-sol.org> | ||
21 | --- | ||
22 | |||
23 | --- a/fs/locks.c | ||
24 | +++ b/fs/locks.c | ||
25 | @@ -432,15 +432,14 @@ static struct lock_manager_operations le | ||
26 | */ | ||
27 | static int lease_init(struct file *filp, int type, struct file_lock *fl) | ||
28 | { | ||
29 | + if (assign_type(fl, type) != 0) | ||
30 | + return -EINVAL; | ||
31 | + | ||
32 | fl->fl_owner = current->files; | ||
33 | fl->fl_pid = current->tgid; | ||
34 | |||
35 | fl->fl_file = filp; | ||
36 | fl->fl_flags = FL_LEASE; | ||
37 | - if (assign_type(fl, type) != 0) { | ||
38 | - locks_free_lock(fl); | ||
39 | - return -EINVAL; | ||
40 | - } | ||
41 | fl->fl_start = 0; | ||
42 | fl->fl_end = OFFSET_MAX; | ||
43 | fl->fl_ops = NULL; | ||
44 | @@ -452,16 +451,19 @@ static int lease_init(struct file *filp, | ||
45 | static int lease_alloc(struct file *filp, int type, struct file_lock **flp) | ||
46 | { | ||
47 | struct file_lock *fl = locks_alloc_lock(); | ||
48 | - int error; | ||
49 | + int error = -ENOMEM; | ||
50 | |||
51 | if (fl == NULL) | ||
52 | - return -ENOMEM; | ||
53 | + goto out; | ||
54 | |||
55 | error = lease_init(filp, type, fl); | ||
56 | - if (error) | ||
57 | - return error; | ||
58 | + if (error) { | ||
59 | + locks_free_lock(fl); | ||
60 | + fl = NULL; | ||
61 | + } | ||
62 | +out: | ||
63 | *flp = fl; | ||
64 | - return 0; | ||
65 | + return error; | ||
66 | } | ||
67 | |||
68 | /* Check if two locks overlap each other. | ||
69 | @@ -1337,6 +1339,7 @@ static int __setlease(struct file *filp, | ||
70 | goto out; | ||
71 | |||
72 | if (my_before != NULL) { | ||
73 | + *flp = *my_before; | ||
74 | error = lease->fl_lmops->fl_change(my_before, arg); | ||
75 | goto out; | ||
76 | } |