From: Danny Feng <dfeng@redhat.com>
Date: Fri, 4 Dec 2009 04:30:47 -0500
Subject: [fuse] prevent fuse_put_request on invalid pointer
Message-id: <20091204043021.22047.4742.sendpatchset@dhcp-65-180.nay.redhat.com>
Patchwork-id: 21675
O-Subject: [PATCH RHEL5.5] fuse: prevent fuse_put_request on invalid pointer
Bugzilla: 538737
CVE: CVE-2009-4021
RH-Acked-by: Eugene Teo <eugene@redhat.com>
RH-Acked-by: Josef Bacik <josef@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>
backport upstream commit f60311d to fix CVE-2009-4021:
commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83
Author: Anand V. Avati <avati@gluster.com>
Date: Thu Oct 22 06:24:52 2009 -0700
fuse: prevent fuse_put_request on invalid pointer
fuse_direct_io() has a loop where requests are allocated in each
iteration. if allocation fails, the loop is broken out and follows
into an unconditional fuse_put_request() on that invalid pointer.
Signed-off-by: Anand V. Avati <avati@gluster.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: stable@kernel.org
Brew build is available at:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=2124586
resolves bz538737
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index f9f06a5..cba44ca 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -732,7 +732,8 @@ static ssize_t fuse_direct_io(struct file *file, const char __user *buf,
break;
}
}
- fuse_put_request(fc, req);
+ if (!IS_ERR(req))
+ fuse_put_request(fc, req);
if (res > 0) {
if (write)
fuse_write_update_size(inode, pos);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1230
