[kernel/f15] CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
Justin M. Forbes
jforbes at fedoraproject.org
Tue Feb 28 20:05:55 UTC 2012
commit 5c51b136d3911008ab0f858e196e0846cbfb8c82
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Tue Feb 28 14:05:39 2012 -0600
CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
...-dentry-refcount-leak-when-opening-a-FIFO.patch | 61 ++++++++++++++++++++
kernel.spec | 11 +++-
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch b/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
new file mode 100644
index 0000000..9fd87ac
--- /dev/null
+++ b/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
@@ -0,0 +1,61 @@
+From 5bccda0ebc7c0331b81ac47d39e4b920b198b2cd Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at redhat.com>
+Date: Thu, 23 Feb 2012 09:37:45 -0500
+Subject: [PATCH] cifs: fix dentry refcount leak when opening a FIFO on lookup
+
+The cifs code will attempt to open files on lookup under certain
+circumstances. What happens though if we find that the file we opened
+was actually a FIFO or other special file?
+
+Currently, the open filehandle just ends up being leaked leading to
+a dentry refcount mismatch and oops on umount. Fix this by having the
+code close the filehandle on the server if it turns out not to be a
+regular file. While we're at it, change this spaghetti if statement
+into a switch too.
+
+Cc: stable at vger.kernel.org
+Reported-by: CAI Qian <caiqian at redhat.com>
+Tested-by: CAI Qian <caiqian at redhat.com>
+Reviewed-by: Shirish Pargaonkar <shirishpargaonkar at gmail.com>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Signed-off-by: Steve French <smfrench at gmail.com>
+---
+ fs/cifs/dir.c | 20 ++++++++++++++++++--
+ 1 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
+index 63a196b..bc7e244 100644
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -584,10 +584,26 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
+ * If either that or op not supported returned, follow
+ * the normal lookup.
+ */
+- if ((rc == 0) || (rc == -ENOENT))
++ switch (rc) {
++ case 0:
++ /*
++ * The server may allow us to open things like
++ * FIFOs, but the client isn't set up to deal
++ * with that. If it's not a regular file, just
++ * close it and proceed as if it were a normal
++ * lookup.
++ */
++ if (newInode && !S_ISREG(newInode->i_mode)) {
++ CIFSSMBClose(xid, pTcon, fileHandle);
++ break;
++ }
++ case -ENOENT:
+ posix_open = true;
+- else if ((rc == -EINVAL) || (rc != -EOPNOTSUPP))
++ case -EOPNOTSUPP:
++ break;
++ default:
+ pTcon->broken_posix_open = true;
++ }
+ }
+ if (!posix_open)
+ rc = cifs_get_inode_info_unix(&newInode, full_path,
+--
+1.7.0.4
+
diff --git a/kernel.spec b/kernel.spec
index 9d4a4a1..014bce7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# When changing real_sublevel below, reset this by hand to 1
# (or to 0 and then use rpmdev-bumpspec).
#
-%global baserelease 2
+%global baserelease 3
%global fedora_build %{baserelease}
# real_sublevel is the 3.x kernel version we're starting with
@@ -718,6 +718,9 @@ Patch21101: hpsa-add-irqf-shared.patch
#rhbz 727865 730007
Patch21102: ACPICA-Fix-regression-in-FADT-revision-checks.patch
+# rhbz 798296
+Patch21103: cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1327,6 +1330,9 @@ ApplyPatch bcma-brcmsmac-compat.patch
#rhbz 727865 730007
ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch
+# rhbz 798296
+ApplyPatch cifs-fix-dentry-refcount-leak-when-opening-a-FIFO.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1974,6 +1980,9 @@ fi
# and build.
%changelog
+* Tue Feb 28 2012 Justin M. Forbes <jforbes at redhat.com> 2.6.42.7-3
+- CVE-2012-1090 CIFS: fix dentry refcount leak when opening a FIFO on lookup (rhbz 798296)
+
* Mon Feb 27 2012 Josh Boyer <jwboyer at redhat.com>
- Add patch to fix regression in FADT revision checks (rhbz 730007 727865)
More information about the scm-commits
mailing list