|
Jesse Keating |
2f82dda |
From: J. R. Okajima <hooanon05@yahoo.co.jp>
|
|
Jesse Keating |
2f82dda |
Date: Sun, 7 Feb 2010 06:48:55 +0000 (+1100)
|
|
Jesse Keating |
2f82dda |
Subject: ima: fix null pointer deref
|
|
Jesse Keating |
2f82dda |
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjmorris%2Fsecurity-testing-2.6.git;a=commitdiff_plain;h=8bb6795424b09db0eca1cccf7a17b93fc28ac7f7
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
ima: fix null pointer deref
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
The commit 6c21a7f "LSM: imbed ima calls in the security hooks"
|
|
Jesse Keating |
2f82dda |
which moves the ima_file_free() call within security_file_free()
|
|
Jesse Keating |
2f82dda |
brought a problem into pipe.c.
|
|
Jesse Keating |
2f82dda |
In the error path of pipe(2), the allocated resources are freed by
|
|
Jesse Keating |
2f82dda |
path_put() and put_filp() (in this order). Since security_file_free()
|
|
Jesse Keating |
2f82dda |
refers f_dentry and ima_file_free() refers f_dentry->d_inode, path_put()
|
|
Jesse Keating |
2f82dda |
should be called after put_filp().
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
|
|
Jesse Keating |
2f82dda |
Signed-off-by: James Morris <jmorris@namei.org>
|
|
Jesse Keating |
2f82dda |
---
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
diff --git a/fs/pipe.c b/fs/pipe.c
|
|
Jesse Keating |
2f82dda |
index 37ba29f..90b543d 100644
|
|
Jesse Keating |
2f82dda |
--- a/fs/pipe.c
|
|
Jesse Keating |
2f82dda |
+++ b/fs/pipe.c
|
|
Jesse Keating |
2f82dda |
@@ -1004,9 +1004,10 @@ struct file *create_write_pipe(int flags)
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
void free_write_pipe(struct file *f)
|
|
Jesse Keating |
2f82dda |
{
|
|
Jesse Keating |
2f82dda |
+ struct path path = f->f_path;
|
|
Jesse Keating |
2f82dda |
free_pipe_info(f->f_dentry->d_inode);
|
|
Jesse Keating |
2f82dda |
- path_put(&f->f_path);
|
|
Jesse Keating |
2f82dda |
put_filp(f);
|
|
Jesse Keating |
2f82dda |
+ path_put(&path);
|
|
Jesse Keating |
2f82dda |
}
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
struct file *create_read_pipe(struct file *wrf, int flags)
|
|
Jesse Keating |
2f82dda |
@@ -1028,6 +1029,7 @@ int do_pipe_flags(int *fd, int flags)
|
|
Jesse Keating |
2f82dda |
struct file *fw, *fr;
|
|
Jesse Keating |
2f82dda |
int error;
|
|
Jesse Keating |
2f82dda |
int fdw, fdr;
|
|
Jesse Keating |
2f82dda |
+ struct path path;
|
|
Jesse Keating |
2f82dda |
|
|
Jesse Keating |
2f82dda |
if (flags & ~(O_CLOEXEC | O_NONBLOCK))
|
|
Jesse Keating |
2f82dda |
return -EINVAL;
|
|
Jesse Keating |
2f82dda |
@@ -1061,8 +1063,9 @@ int do_pipe_flags(int *fd, int flags)
|
|
Jesse Keating |
2f82dda |
err_fdr:
|
|
Jesse Keating |
2f82dda |
put_unused_fd(fdr);
|
|
Jesse Keating |
2f82dda |
err_read_pipe:
|
|
Jesse Keating |
2f82dda |
- path_put(&fr->f_path);
|
|
Jesse Keating |
2f82dda |
+ path = fr->f_path;
|
|
Jesse Keating |
2f82dda |
put_filp(fr);
|
|
Jesse Keating |
2f82dda |
+ path_put(&path);
|
|
Jesse Keating |
2f82dda |
err_write_pipe:
|
|
Jesse Keating |
2f82dda |
free_write_pipe(fw);
|
|
Jesse Keating |
2f82dda |
return error;
|