From: Danny Feng <dfeng@redhat.com>
Date: Fri, 21 Aug 2009 09:54:09 +0800
Subject: [md] prevent crash when accessing suspend_* sysfs attr
Message-id: 4A8DFE41.9000002@redhat.com
O-Subject: Re: [PATCH RHEL5.5] CVE-2009-2849 md: avoid dereferencing NULL pointer when accessing suspend_* sysfs attributes.
Bugzilla: 518136
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: Jerome Marchand <jmarchan@redhat.com>
RH-Acked-by: Doug Ledford <dledford@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>
RH-Nacked-by: Prarit Bhargava <prarit@redhat.com>
CVE: CVE-2009-2849

On 08/20/2009 07:15 PM, Dean Nelson wrote:
> On 08/20/2009 02:28 AM, Danny Feng wrote:
>> RHBZ#:
>> https://bugzilla.redhat.com/show_bug.cgi?id=518136
>>
>> Description:
>> It is possible to modify one of the md/ sysfs files - suspend_lo or
>> suspend_hi
>> when the array is not active. NOTE: this is only a vulnerability when
>> sysfs
>> files are writable by an attacker. It is not writable by default.
>>
>> Upstream status:
>> http://git.kernel.org/linus/b8d966efd9a46a9a35beac50cbff6e30565125ef
>>
>> Brew ID#:
>> http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1935413
>>
>> KABI:
>> no harm
>

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0a8d76c..05c8873 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2830,7 +2830,8 @@ suspend_lo_store(mddev_t *mddev, const char *buf, size_t len)
 	char *e;
 	unsigned long long new = simple_strtoull(buf, &e, 10);
 
-	if (mddev->pers->quiesce == NULL)
+	if (mddev->pers == NULL || 
+	    mddev->pers->quiesce == NULL)
 		return -EINVAL;
 	if (buf == e || (*e && *e != '\n'))
 		return -EINVAL;
@@ -2858,7 +2859,8 @@ suspend_hi_store(mddev_t *mddev, const char *buf, size_t len)
 	char *e;
 	unsigned long long new = simple_strtoull(buf, &e, 10);
 
-	if (mddev->pers->quiesce == NULL)
+	if (mddev->pers == NULL ||
+	    mddev->pers->quiesce == NULL)
 		return -EINVAL;
 	if (buf == e || (*e && *e != '\n'))
 		return -EINVAL;