From: Danny Feng <dfeng@redhat.com> Date: Fri, 21 Aug 2009 09:54:09 +0800 Subject: [md] prevent crash when accessing suspend_* sysfs attr Message-id: 4A8DFE41.9000002@redhat.com O-Subject: Re: [PATCH RHEL5.5] CVE-2009-2849 md: avoid dereferencing NULL pointer when accessing suspend_* sysfs attributes. Bugzilla: 518136 RH-Acked-by: Dean Nelson <dnelson@redhat.com> RH-Acked-by: Jerome Marchand <jmarchan@redhat.com> RH-Acked-by: Doug Ledford <dledford@redhat.com> RH-Acked-by: Prarit Bhargava <prarit@redhat.com> RH-Nacked-by: Prarit Bhargava <prarit@redhat.com> CVE: CVE-2009-2849 On 08/20/2009 07:15 PM, Dean Nelson wrote: > On 08/20/2009 02:28 AM, Danny Feng wrote: >> RHBZ#: >> https://bugzilla.redhat.com/show_bug.cgi?id=518136 >> >> Description: >> It is possible to modify one of the md/ sysfs files - suspend_lo or >> suspend_hi >> when the array is not active. NOTE: this is only a vulnerability when >> sysfs >> files are writable by an attacker. It is not writable by default. >> >> Upstream status: >> http://git.kernel.org/linus/b8d966efd9a46a9a35beac50cbff6e30565125ef >> >> Brew ID#: >> http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1935413 >> >> KABI: >> no harm > diff --git a/drivers/md/md.c b/drivers/md/md.c index 0a8d76c..05c8873 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -2830,7 +2830,8 @@ suspend_lo_store(mddev_t *mddev, const char *buf, size_t len) char *e; unsigned long long new = simple_strtoull(buf, &e, 10); - if (mddev->pers->quiesce == NULL) + if (mddev->pers == NULL || + mddev->pers->quiesce == NULL) return -EINVAL; if (buf == e || (*e && *e != '\n')) return -EINVAL; @@ -2858,7 +2859,8 @@ suspend_hi_store(mddev_t *mddev, const char *buf, size_t len) char *e; unsigned long long new = simple_strtoull(buf, &e, 10); - if (mddev->pers->quiesce == NULL) + if (mddev->pers == NULL || + mddev->pers->quiesce == NULL) return -EINVAL; if (buf == e || (*e && *e != '\n')) return -EINVAL;