| Message ID | 1328524765-18910-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 06.02.2012 11:39, Andy Whitcroft wrote: > From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > > In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking > dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing > mount(NULL, "/", "ext3", 0, NULL) request. > Fix this by checking dev_name != NULL before calling kern_path(dev_name). > > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Cc: stable@kernel.org > Signed-off-by: James Morris <jmorris@namei.org> > > (cherry picked from commit 4e78c724d47e2342aa8fde61f6b8536f662f795f) > CVE-2011-2518 > BugLink: http://bugs.launchpad.net/bugs/922377 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > security/tomoyo/mount.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c > index 82bf8c2..afa07cf 100644 > --- a/security/tomoyo/mount.c > +++ b/security/tomoyo/mount.c > @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, > } > if (need_dev) { > /* Get mount point or device file. */ > - if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) { > + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { > error = -ENOENT; > goto out; > } Acked-by: Stefan Bader <smb@canonical.com>
On 06/02/12 10:39, Andy Whitcroft wrote: > From: Tetsuo Handa<penguin-kernel@I-love.SAKURA.ne.jp> > > In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking > dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing > mount(NULL, "/", "ext3", 0, NULL) request. > Fix this by checking dev_name != NULL before calling kern_path(dev_name). > > Signed-off-by: Tetsuo Handa<penguin-kernel@I-love.SAKURA.ne.jp> > Cc: stable@kernel.org > Signed-off-by: James Morris<jmorris@namei.org> > > (cherry picked from commit 4e78c724d47e2342aa8fde61f6b8536f662f795f) > CVE-2011-2518 > BugLink: http://bugs.launchpad.net/bugs/922377 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > security/tomoyo/mount.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c > index 82bf8c2..afa07cf 100644 > --- a/security/tomoyo/mount.c > +++ b/security/tomoyo/mount.c > @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, > } > if (need_dev) { > /* Get mount point or device file. */ > - if (kern_path(dev_name, LOOKUP_FOLLOW,&path)) { > + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW,&path)) { > error = -ENOENT; > goto out; > } Straight forward fix. Acked-by: Colin King <colin.king@canonical.com>
diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 82bf8c2..afa07cf 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, } if (need_dev) { /* Get mount point or device file. */ - if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) { + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { error = -ENOENT; goto out; }