Sophie: kernel-2.6.18-194.11.1.el5 src

kernel-2.6.18-194.11.1.el5.src.rpm

From: Danny Feng <dfeng@redhat.com>
Date: Tue, 21 Jul 2009 01:59:09 -0400
Subject: [net] tun/tap: open /dev/net/tun and then poll() it fix
Message-id: 20090721055908.18789.81108.sendpatchset@danny
O-Subject: [PATCH RHEL5.4] CVE-2009-1897 tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
Bugzilla: 512286
RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com>
RH-Acked-by: Eugene Teo <eugene@redhat.com>
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: David Miller <davem@redhat.com>
RH-Acked-by: Andy Gospodarek <gospo@redhat.com>
RH-Acked-by: Thomas Graf <tgraf@redhat.com>
CVE: CVE-2009-1897

RHBZ#512286
https://bugzilla.redhat.com/show_bug.cgi?id=512286

Description:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
388c3049 ("[RHEL5.4 PATCH] tun: Add packet accounting") and
triggered by this code:

        int fd;
        struct pollfd pfd;
        fd = open("/dev/net/tun", O_RDWR);
        pfd.fd = fd;
        pfd.events = POLLIN | POLLOUT;
        poll(&pfd, 1, 0);

Brew ID: 1898462

KABI:
no harm

Upstream status:
backport of commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13

Test status:
Without the patch, kernel panic with the reproduce program (for root user) on
RHEL5.4 (only affect 5.4).Testing on RHEL5.4 x86_64. I confirm this patch
fix the kernel panic.

Please review and ACK.

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b803dba..785ef15 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -234,12 +234,14 @@ static void tun_net_init(struct net_device *dev)
 static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
 {  
 	struct tun_struct *tun = file->private_data;
-	struct sock *sk = tun->sk;
+	struct sock *sk;
 	unsigned int mask = 0;
 
 	if (!tun)
 		return -EBADFD;
 
+	sk = tun->sk;
+
 	DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
 
 	poll_wait(file, &tun->read_wait, wait);