/[linux-patches]/genpatches-2.6/tags/2.6.13-4/1015_2_lost-fput-in-32bit-ioctl-on-x86-64.patch
Gentoo

Contents of /genpatches-2.6/tags/2.6.13-4/1015_2_lost-fput-in-32bit-ioctl-on-x86-64.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 168 - (show annotations) (download)
Sun Sep 18 11:19:29 2005 UTC (8 years, 11 months ago) by dsd
File size: 2181 byte(s)
2.6.13-4 release
1 From chrisw@osdl.org Fri Sep 9 13:05:53 2005
2 Date: Fri, 9 Sep 2005 13:05:53 -0700
3 From: Chris Wright <chrisw@osdl.org>
4 To: Kirill Korotaev <dev@sw.ru>
5 Cc: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
6 Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
7 Maxim Giryaev <gem@sw.ru>
8 Subject: [PATCH] lost fput in 32bit ioctl on x86-64
9
10 From: Maxim Giryaev <gem@sw.ru>
11
12 This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
13
14 I believe this is a security issues, since user can fget() file as
15 many times as he wants to. So file refcounter can be overlapped and
16 first fput() will free resources though there will be still structures
17 pointing to the file, mnt, dentry etc. Also fput() sets f_dentry and
18 f_vfsmnt to NULL, so other file users will OOPS.
19
20 The oops can be done under files_lock and others, so this is really
21 exploitable DoS on SMP. Didn't checked it on practice actually.
22
23 (chrisw: Update to use fget_light/fput_light)
24
25 Signed-Off-By: Kirill Korotaev <dev@sw.ru>
26 Signed-Off-By: Maxim Giryaev <gem@sw.ru>
27 Signed-off-by: Chris Wright <chrisw@osdl.org>
28 ---
29 arch/x86_64/ia32/ia32_ioctl.c | 17 +++++++++++++----
30 1 files changed, 13 insertions(+), 4 deletions(-)
31
32 Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
33 ===================================================================
34 --- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
35 +++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
36 @@ -24,17 +24,26 @@
37 static int tiocgdev(unsigned fd, unsigned cmd, unsigned int __user *ptr)
38 {
39
40 - struct file *file = fget(fd);
41 + struct file *file;
42 struct tty_struct *real_tty;
43 + int fput_needed, ret;
44
45 + file = fget_light(fd, &fput_needed);
46 if (!file)
47 return -EBADF;
48 +
49 + ret = -EINVAL;
50 if (file->f_op->ioctl != tty_ioctl)
51 - return -EINVAL;
52 + goto out;
53 real_tty = (struct tty_struct *)file->private_data;
54 if (!real_tty)
55 - return -EINVAL;
56 - return put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
57 + goto out;
58 +
59 + ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
60 +
61 +out:
62 + fput_light(file, fput_needed);
63 + return ret;
64 }
65
66 #define RTC_IRQP_READ32 _IOR('p', 0x0b, unsigned int) /* Read IRQ rate */

  ViewVC Help
Powered by ViewVC 1.1.20