From: J. R. Okajima <hooanon05@yahoo.co.jp>

Date: Sun, 7 Feb 2010 06:48:55 +0000 (+1100)

Subject: ima: fix null pointer deref

X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjmorris%2Fsecurity-testing-2.6.git;a=commitdiff_plain;h=8bb6795424b09db0eca1cccf7a17b93fc28ac7f7

ima: fix null pointer deref

The commit 6c21a7f "LSM: imbed ima calls in the security hooks"

which moves the ima_file_free() call within security_file_free()

brought a problem into pipe.c.

In the error path of pipe(2), the allocated resources are freed by

path_put() and put_filp() (in this order). Since security_file_free()

refers f_dentry and ima_file_free() refers f_dentry->d_inode, path_put()

should be called after put_filp().

Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>

Signed-off-by: James Morris <jmorris@namei.org>

---

diff --git a/fs/pipe.c b/fs/pipe.c

index 37ba29f..90b543d 100644

--- a/fs/pipe.c

+++ b/fs/pipe.c

@@ -1004,9 +1004,10 @@ struct file *create_write_pipe(int flags)

 void free_write_pipe(struct file *f)

 {

+	struct path path = f->f_path;

 	free_pipe_info(f->f_dentry->d_inode);

-	path_put(&f->f_path);

 	put_filp(f);

+	path_put(&path);

 }

 struct file *create_read_pipe(struct file *wrf, int flags)

@@ -1028,6 +1029,7 @@ int do_pipe_flags(int *fd, int flags)

 	struct file *fw, *fr;

 	int error;

 	int fdw, fdr;

+	struct path path;

 	if (flags & ~(O_CLOEXEC | O_NONBLOCK))

 		return -EINVAL;

@@ -1061,8 +1063,9 @@ int do_pipe_flags(int *fd, int flags)

  err_fdr:

 	put_unused_fd(fdr);

  err_read_pipe:

-	path_put(&fr->f_path);

+	path = fr->f_path;

 	put_filp(fr);

+	path_put(&path);

  err_write_pipe:

 	free_write_pipe(fw);

 	return error;