Patchwork [maverick/ti-omap4,CVE,1/1] inotify: stop kernel memory leak on file creation failure

login
register
mail settings
Submitter Andy Whitcroft
Date Jan. 30, 2012, 9:51 a.m.
Message ID <1327917089-29562-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/138532/
State New
Headers show

Comments

Andy Whitcroft - Jan. 30, 2012, 9:51 a.m.
From: Eric Paris <eparis@redhat.com>

If inotify_init is unable to allocate a new file for the new inotify
group we leak the new group.  This patch drops the reference on the
group on file allocation failure.

Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
cc: stable@kernel.org
Signed-off-by: Eric Paris <eparis@redhat.com>

(cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab)
CVE-2010-4250
BugLink: http://bugs.launchpad.net/bugs/917797
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/notify/inotify/inotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
Stefan Bader - Jan. 30, 2012, 11:28 a.m.
On 30.01.2012 10:51, Andy Whitcroft wrote:
> From: Eric Paris <eparis@redhat.com>
> 
> If inotify_init is unable to allocate a new file for the new inotify
> group we leak the new group.  This patch drops the reference on the
> group on file allocation failure.
> 
> Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
> cc: stable@kernel.org
> Signed-off-by: Eric Paris <eparis@redhat.com>
> 
> (cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab)
> CVE-2010-4250
> BugLink: http://bugs.launchpad.net/bugs/917797
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/notify/inotify/inotify_user.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index e46ca68..e295eee 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags)
>  	if (ret >= 0)
>  		return ret;
>  
> +	fsnotify_put_group(group);
>  	atomic_dec(&user->inotify_devs);
>  out_free_uid:
>  	free_uid(user);

Looks reasonable, cherry-picked too...
Acked-by: Stefan Bader <smb@canonical.com>
Herton Ronaldo Krzesinski - Jan. 30, 2012, 12:06 p.m.
On Mon, Jan 30, 2012 at 09:51:29AM +0000, Andy Whitcroft wrote:
> From: Eric Paris <eparis@redhat.com>
> 
> If inotify_init is unable to allocate a new file for the new inotify
> group we leak the new group.  This patch drops the reference on the
> group on file allocation failure.
> 
> Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
> cc: stable@kernel.org
> Signed-off-by: Eric Paris <eparis@redhat.com>
> 
> (cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab)
> CVE-2010-4250
> BugLink: http://bugs.launchpad.net/bugs/917797
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/notify/inotify/inotify_user.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
> index e46ca68..e295eee 100644
> --- a/fs/notify/inotify/inotify_user.c
> +++ b/fs/notify/inotify/inotify_user.c
> @@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags)
>  	if (ret >= 0)
>  		return ret;
>  
> +	fsnotify_put_group(group);
>  	atomic_dec(&user->inotify_devs);
>  out_free_uid:
>  	free_uid(user);
> -- 
> 1.7.5.4

There is a fix for this change, which seems to introduce a regression.
See commit d0de4dc584ec6aa3b26fffea320a8457827768fc
Tim Gardner - Jan. 30, 2012, 1:55 p.m.
On 01/30/2012 05:06 AM, Herton Ronaldo Krzesinski wrote:
>
> There is a fix for this change, which seems to introduce a regression.
> See commit d0de4dc584ec6aa3b26fffea320a8457827768fc
>

Applied both. Isn't Maverick/ti-omap4 a rebase kernel ? Why wasn't 
d0de4dc584ec6aa3b26fffea320a8457827768fc picked up as a stable patch?

rtg
Herton Ronaldo Krzesinski - Jan. 30, 2012, 2:20 p.m.
On Mon, Jan 30, 2012 at 06:55:36AM -0700, Tim Gardner wrote:
> On 01/30/2012 05:06 AM, Herton Ronaldo Krzesinski wrote:
> >
> >There is a fix for this change, which seems to introduce a regression.
> >See commit d0de4dc584ec6aa3b26fffea320a8457827768fc
> >
> 
> Applied both. Isn't Maverick/ti-omap4 a rebase kernel ? Why wasn't
> d0de4dc584ec6aa3b26fffea320a8457827768fc picked up as a stable
> patch?

No, it isn't one of rebasable branches. About stable, I don't know,
may be because was marked stable only for 2.6.37+

> 
> rtg
> -- 
> Tim Gardner tim.gardner@canonical.com
>

Patch

diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index e46ca68..e295eee 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -671,6 +671,7 @@  SYSCALL_DEFINE1(inotify_init1, int, flags)
 	if (ret >= 0)
 		return ret;
 
+	fsnotify_put_group(group);
 	atomic_dec(&user->inotify_devs);
 out_free_uid:
 	free_uid(user);