From: Eric Sandeen <sandeen@redhat.com>
Subject: [RHEL5.2 PATCH ] missing dput in do_lookup error case leaks dentries
Date: Mon, 05 Nov 2007 17:05:16 -0600
Bugzilla: 363491
Message-Id: <472FA1AC.20600@redhat.com>
Changelog: [fs] missing dput in do_lookup error leaks dentries
For Bugzilla Bug 363491: EMBARGOED CVE-2007-5494 open(O_ATOMICLOOKUP) leaks dentry [rhel-5.2]
the "atomic" codepaths introduced by the tux patch added an error return case
which leaks a dentry; see bug 315051 for a testcase, with which this patch
was tested.
>From the original report:
static int do_lookup(struct nameidata *nd, struct qstr *name,
struct path *path, int atomic)
{
struct vfsmount *mnt = nd->mnt;
struct dentry *dentry = __d_lookup(nd->dentry, name);
if (!dentry)
goto need_lookup;
if (dentry->d_op && dentry->d_op->d_revalidate)
goto need_revalidate;
>>>>> VvS: dentry was taken but requires revalidation
need_revalidate:
if (atomic)
return -EWOULDBLOCKIO;
>>>>> VvS: ... however if atomic is set, we forget to call dput before exit
Patch follows.
Thanks,
-Eric
---
Index: linux-2.6.18-49.el5/fs/namei.c
===================================================================
--- linux-2.6.18-49.el5.orig/fs/namei.c
+++ linux-2.6.18-49.el5/fs/namei.c
@@ -788,8 +788,10 @@ need_lookup:
goto done;
need_revalidate:
- if (atomic)
+ if (atomic) {
+ dput(dentry);
return -EWOULDBLOCKIO;
+ }
dentry = do_revalidate(dentry, nd);
if (!dentry)
goto need_lookup;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1112
