Patchwork [CVE-2012-1090] natty, natty/ti-omap4

login
register
mail settings
Submitter Stefan Bader
Date April 20, 2012, 8:38 a.m.
Message ID <1334911103-3072-1-git-send-email-stefan.bader@canonical.com>
Download mbox | patch
Permalink /patch/153958/
State New
Headers show

Comments

Stefan Bader - April 20, 2012, 8:38 a.m.
A flaw was discovered in the Linux kernel's cifs file system. An
unprivileged local user could exploit this flaw to crash the system leading
to a denial of service.

I believe this was introduced somewhere in 2.6.30, so Hardy is not
affected. Fixes have reached Oneiric and Precise via upstream stable.
So proposing for Natty and the ti-omap4 branch there.

-Stefan

From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@redhat.com>
Date: Thu, 23 Feb 2012 09:37:45 -0500
Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup

The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file?

Currently, the open filehandle just ends up being leaked leading to
a dentry refcount mismatch and oops on umount. Fix this by having the
code close the filehandle on the server if it turns out not to be a
regular file. While we're at it, change this spaghetti if statement
into a switch too.

Cc: stable@vger.kernel.org
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: CAI Qian <caiqian@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>

BugLink: http://bugs.launchpad.net/bugs/947997
CVE-2012-1090

(cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 fs/cifs/dir.c |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)
Herton Ronaldo Krzesinski - April 20, 2012, 1:26 p.m.
On Fri, Apr 20, 2012 at 10:38:23AM +0200, Stefan Bader wrote:
> A flaw was discovered in the Linux kernel's cifs file system. An
> unprivileged local user could exploit this flaw to crash the system leading
> to a denial of service.
> 
> I believe this was introduced somewhere in 2.6.30, so Hardy is not
> affected. Fixes have reached Oneiric and Precise via upstream stable.
> So proposing for Natty and the ti-omap4 branch there.
> 
> -Stefan
> 
> From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001
> From: Jeff Layton <jlayton@redhat.com>
> Date: Thu, 23 Feb 2012 09:37:45 -0500
> Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
> 
> The cifs code will attempt to open files on lookup under certain
> circumstances. What happens though if we find that the file we opened
> was actually a FIFO or other special file?
> 
> Currently, the open filehandle just ends up being leaked leading to
> a dentry refcount mismatch and oops on umount. Fix this by having the
> code close the filehandle on the server if it turns out not to be a
> regular file. While we're at it, change this spaghetti if statement
> into a switch too.
> 
> Cc: stable@vger.kernel.org
> Reported-by: CAI Qian <caiqian@redhat.com>
> Tested-by: CAI Qian <caiqian@redhat.com>
> Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
> Signed-off-by: Jeff Layton <jlayton@redhat.com>
> Signed-off-by: Steve French <smfrench@gmail.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/947997
> CVE-2012-1090
> 
> (cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  fs/cifs/dir.c |   20 ++++++++++++++++++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
> index dd5f229..625c53d 100644
> --- a/fs/cifs/dir.c
> +++ b/fs/cifs/dir.c
> @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
>  			 * If either that or op not supported returned, follow
>  			 * the normal lookup.
>  			 */
> -			if ((rc == 0) || (rc == -ENOENT))
> +			switch (rc) {
> +			case 0:
> +				/*
> +				 * The server may allow us to open things like
> +				 * FIFOs, but the client isn't set up to deal
> +				 * with that. If it's not a regular file, just
> +				 * close it and proceed as if it were a normal
> +				 * lookup.
> +				 */
> +				if (newInode && !S_ISREG(newInode->i_mode)) {
> +					CIFSSMBClose(xid, pTcon, fileHandle);
> +					break;
> +				}
> +			case -ENOENT:
>  				posix_open = true;
> -			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
> +			case -EOPNOTSUPP:
> +				break;
> +			default:
>  				pTcon->broken_posix_open = true;
> +			}
>  		}
>  		if (!posix_open)
>  			rc = cifs_get_inode_info_unix(&newInode, full_path,
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Leann Ogasawara - April 20, 2012, 1:52 p.m.
On 04/20/2012 01:38 AM, Stefan Bader wrote:
> A flaw was discovered in the Linux kernel's cifs file system. An
> unprivileged local user could exploit this flaw to crash the system leading
> to a denial of service.
>
> I believe this was introduced somewhere in 2.6.30, so Hardy is not
> affected. Fixes have reached Oneiric and Precise via upstream stable.
> So proposing for Natty and the ti-omap4 branch there.
>
> -Stefan
>
>  From 35e7104ae389ba5f952163f4c8c678e78269dbd9 Mon Sep 17 00:00:00 2001
> From: Jeff Layton<jlayton@redhat.com>
> Date: Thu, 23 Feb 2012 09:37:45 -0500
> Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
>
> The cifs code will attempt to open files on lookup under certain
> circumstances. What happens though if we find that the file we opened
> was actually a FIFO or other special file?
>
> Currently, the open filehandle just ends up being leaked leading to
> a dentry refcount mismatch and oops on umount. Fix this by having the
> code close the filehandle on the server if it turns out not to be a
> regular file. While we're at it, change this spaghetti if statement
> into a switch too.
>
> Cc: stable@vger.kernel.org
> Reported-by: CAI Qian<caiqian@redhat.com>
> Tested-by: CAI Qian<caiqian@redhat.com>
> Reviewed-by: Shirish Pargaonkar<shirishpargaonkar@gmail.com>
> Signed-off-by: Jeff Layton<jlayton@redhat.com>
> Signed-off-by: Steve French<smfrench@gmail.com>
>
> BugLink: http://bugs.launchpad.net/bugs/947997
> CVE-2012-1090
>
> (cherry-picked from 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream)
> Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
>   fs/cifs/dir.c |   20 ++++++++++++++++++--
>   1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
> index dd5f229..625c53d 100644
> --- a/fs/cifs/dir.c
> +++ b/fs/cifs/dir.c
> @@ -573,10 +573,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
>   			 * If either that or op not supported returned, follow
>   			 * the normal lookup.
>   			 */
> -			if ((rc == 0) || (rc == -ENOENT))
> +			switch (rc) {
> +			case 0:
> +				/*
> +				 * The server may allow us to open things like
> +				 * FIFOs, but the client isn't set up to deal
> +				 * with that. If it's not a regular file, just
> +				 * close it and proceed as if it were a normal
> +				 * lookup.
> +				 */
> +				if (newInode&&  !S_ISREG(newInode->i_mode)) {
> +					CIFSSMBClose(xid, pTcon, fileHandle);
> +					break;
> +				}
> +			case -ENOENT:
>   				posix_open = true;
> -			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
> +			case -EOPNOTSUPP:
> +				break;
> +			default:
>   				pTcon->broken_posix_open = true;
> +			}
>   		}
>   		if (!posix_open)
>   			rc = cifs_get_inode_info_unix(&newInode, full_path,
Stefan Bader - April 20, 2012, 2:12 p.m.
Applied to Natty master-next and ti-omap4

Patch

diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index dd5f229..625c53d 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -573,10 +573,26 @@  cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
 			 * If either that or op not supported returned, follow
 			 * the normal lookup.
 			 */
-			if ((rc == 0) || (rc == -ENOENT))
+			switch (rc) {
+			case 0:
+				/*
+				 * The server may allow us to open things like
+				 * FIFOs, but the client isn't set up to deal
+				 * with that. If it's not a regular file, just
+				 * close it and proceed as if it were a normal
+				 * lookup.
+				 */
+				if (newInode && !S_ISREG(newInode->i_mode)) {
+					CIFSSMBClose(xid, pTcon, fileHandle);
+					break;
+				}
+			case -ENOENT:
 				posix_open = true;
-			else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
+			case -EOPNOTSUPP:
+				break;
+			default:
 				pTcon->broken_posix_open = true;
+			}
 		}
 		if (!posix_open)
 			rc = cifs_get_inode_info_unix(&newInode, full_path,