Patchwork [natty,natty/ti-omap4,CVE,1/1] TOMOYO: Fix oops in tomoyo_mount_acl().

login
register
mail settings
Submitter Andy Whitcroft
Date Feb. 6, 2012, 10:39 a.m.
Message ID <1328524765-18910-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/139707/
State New
Headers show

Comments

Andy Whitcroft - Feb. 6, 2012, 10:39 a.m.
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
mount(NULL, "/", "ext3", 0, NULL) request.
Fix this by checking dev_name != NULL before calling kern_path(dev_name).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>

(cherry picked from commit 4e78c724d47e2342aa8fde61f6b8536f662f795f)
CVE-2011-2518
BugLink: http://bugs.launchpad.net/bugs/922377
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 security/tomoyo/mount.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Stefan Bader - Feb. 6, 2012, 10:56 a.m.
On 06.02.2012 11:39, Andy Whitcroft wrote:
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> 
> In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
> dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
> mount(NULL, "/", "ext3", 0, NULL) request.
> Fix this by checking dev_name != NULL before calling kern_path(dev_name).
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Cc: stable@kernel.org
> Signed-off-by: James Morris <jmorris@namei.org>
> 
> (cherry picked from commit 4e78c724d47e2342aa8fde61f6b8536f662f795f)
> CVE-2011-2518
> BugLink: http://bugs.launchpad.net/bugs/922377
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  security/tomoyo/mount.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
> index 82bf8c2..afa07cf 100644
> --- a/security/tomoyo/mount.c
> +++ b/security/tomoyo/mount.c
> @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name,
>  	}
>  	if (need_dev) {
>  		/* Get mount point or device file. */
> -		if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) {
> +		if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) {
>  			error = -ENOENT;
>  			goto out;
>  		}

Acked-by: Stefan Bader <smb@canonical.com>
Colin King - Feb. 6, 2012, 11:14 a.m.
On 06/02/12 10:39, Andy Whitcroft wrote:
> From: Tetsuo Handa<penguin-kernel@I-love.SAKURA.ne.jp>
>
> In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
> dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
> mount(NULL, "/", "ext3", 0, NULL) request.
> Fix this by checking dev_name != NULL before calling kern_path(dev_name).
>
> Signed-off-by: Tetsuo Handa<penguin-kernel@I-love.SAKURA.ne.jp>
> Cc: stable@kernel.org
> Signed-off-by: James Morris<jmorris@namei.org>
>
> (cherry picked from commit 4e78c724d47e2342aa8fde61f6b8536f662f795f)
> CVE-2011-2518
> BugLink: http://bugs.launchpad.net/bugs/922377
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   security/tomoyo/mount.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
> index 82bf8c2..afa07cf 100644
> --- a/security/tomoyo/mount.c
> +++ b/security/tomoyo/mount.c
> @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name,
>   	}
>   	if (need_dev) {
>   		/* Get mount point or device file. */
> -		if (kern_path(dev_name, LOOKUP_FOLLOW,&path)) {
> +		if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW,&path)) {
>   			error = -ENOENT;
>   			goto out;
>   		}

Straight forward fix.

Acked-by: Colin King <colin.king@canonical.com>

Patch

diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
index 82bf8c2..afa07cf 100644
--- a/security/tomoyo/mount.c
+++ b/security/tomoyo/mount.c
@@ -138,7 +138,7 @@  static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name,
 	}
 	if (need_dev) {
 		/* Get mount point or device file. */
-		if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) {
+		if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) {
 			error = -ENOENT;
 			goto out;
 		}