PATCH: fd leak if pipe() is called with an invalid address.
From: Changli Gao
Date: Thu Jul 02 2009 - 03:22:23 EST
fd leak if pipe() is called with an invalid address.
Though -EFAULT is returned, the file descriptors opened by pipe() call
are left open.
Signed-off-by: Changli Gao <xiaosuo@xxxxxxxxx>
----
x86/ia32/sys_ia32.c | 5 ++++-
xtensa/kernel/syscall.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- arch/x86/ia32/sys_ia32.c.orig 2009-07-02 15:08:39.000000000 +0800
+++ arch/x86/ia32/sys_ia32.c 2009-07-02 15:09:49.000000000 +0800
@@ -197,8 +197,11 @@
retval = do_pipe_flags(fds, 0);
if (retval)
goto out;
- if (copy_to_user(fd, fds, sizeof(fds)))
+ if (copy_to_user(fd, fds, sizeof(fds))) {
+ sys_close(fd[0]);
+ sys_close(fd[1]);
retval = -EFAULT;
+ }
out:
return retval;
}
--- arch/xtensa/kernel/syscall.c.orig 2009-07-02 15:09:01.000000000 +0800
+++ arch/xtensa/kernel/syscall.c 2009-07-02 15:10:15.000000000 +0800
@@ -51,8 +51,11 @@
error = do_pipe_flags(fd, 0);
if (!error) {
- if (copy_to_user(userfds, fd, 2 * sizeof(int)))
+ if (copy_to_user(userfds, fd, 2 * sizeof(int))) {
+ sys_close(fd[0]);
+ sys_close(fd[1]);
error = -EFAULT;
+ }
}
return error;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/