[PATCH 5/7 v3] vfs: fix possible use after free in finish_open()
From: Miklos Szeredi
Date: Mon Sep 20 2010 - 14:04:58 EST
From: Miklos Szeredi <mszeredi@xxxxxxx>
If open(O_TRUNC) is called and the actual open fails, then nd->path
will be released by nameidata_to_filp(). If this races with an
unmount then mnt_drop_write() can Oops.
Fix by acquiring a ref to nd->path and releasing after
mnt_drop_write().
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx>
CC: stable@xxxxxxxxxx
---
fs/namei.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: linux-2.6/fs/namei.c
===================================================================
--- linux-2.6.orig/fs/namei.c 2010-09-20 13:32:35.000000000 +0200
+++ linux-2.6/fs/namei.c 2010-09-20 13:33:14.000000000 +0200
@@ -1559,6 +1559,11 @@ static struct file *finish_open(struct n
mnt_drop_write(nd->path.mnt);
goto exit;
}
+ if (will_truncate) {
+ /* nameidata_to_filp() puts nd->path! */
+ path_get(&nd->path);
+ }
+
filp = nameidata_to_filp(nd);
if (!IS_ERR(filp)) {
error = ima_file_check(filp, acc_mode);
@@ -1581,8 +1586,10 @@ static struct file *finish_open(struct n
* because the filp has had a write taken
* on its behalf.
*/
- if (will_truncate)
+ if (will_truncate) {
mnt_drop_write(nd->path.mnt);
+ path_put(&nd->path);
+ }
return filp;
exit:
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/