tags/2.6.13-4/1016_2_lost-sockfd_put-in-32bit-compat-routing_ioctl.patch

From dev@sw.ru  Fri Sep  9 02:55:06 2005
Date: Fri, 09 Sep 2005 13:59:48 +0400
From: Kirill Korotaev <dev@sw.ru>
To: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
        Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
        "Maxim Giryaev" <gem@sw.ru>
Subject: [PATCH] Lost sockfd_put() in routing_ioctl()

From: "Maxim Giryaev" <gem@sw.ru>

This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 
64bit platforms

I believe this is a security issues, since user can fget() file as many 
times as he wants to. So file refcounter can be overlapped and first 
fput() will free resources though there will be still structures 
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this can be an 
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---
 fs/compat_ioctl.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

Index: linux-2.6.13.y/fs/compat_ioctl.c
===================================================================
--- linux-2.6.13.y.orig/fs/compat_ioctl.c
+++ linux-2.6.13.y/fs/compat_ioctl.c
@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
                r = (void *) &r4;
        }
 
-       if (ret)
-               return -EFAULT;
+       if (ret) {
+               ret = -EFAULT;
+               goto out;
+       }
 
        set_fs (KERNEL_DS);
        ret = sys_ioctl (fd, cmd, (unsigned long) r);
        set_fs (old_fs);
 
+out:
        if (mysock)
                sockfd_put(mysock);
 
1	From dev@sw.ru Fri Sep 9 02:55:06 2005
2	Date: Fri, 09 Sep 2005 13:59:48 +0400
3	From: Kirill Korotaev <dev@sw.ru>
4	To: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
5	Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
6	"Maxim Giryaev" <gem@sw.ru>
7	Subject: [PATCH] Lost sockfd_put() in routing_ioctl()
8
9	From: "Maxim Giryaev" <gem@sw.ru>
10
11	This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
12	64bit platforms
13
14	I believe this is a security issues, since user can fget() file as many
15	times as he wants to. So file refcounter can be overlapped and first
16	fput() will free resources though there will be still structures
17	pointing to the file, mnt, dentry etc.
18	Also fput() sets f_dentry and f_vfsmnt to NULL,
19	so other file users will OOPS.
20
21	The oops can be done under files_lock and others, so this can be an
22	exploitable DoS on SMP. Didn't checked it on practice actually.
23
24	Signed-Off-By: Kirill Korotaev <dev@sw.ru>
25	Signed-Off-By: Maxim Giryaev <gem@sw.ru>
26	Signed-off-by: Chris Wright <chrisw@osdl.org>
27	---
28	fs/compat_ioctl.c \| 7 +++++--
29	1 files changed, 5 insertions(+), 2 deletions(-)
30
31	Index: linux-2.6.13.y/fs/compat_ioctl.c
32	===================================================================
33	--- linux-2.6.13.y.orig/fs/compat_ioctl.c
34	+++ linux-2.6.13.y/fs/compat_ioctl.c
35	@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
36	r = (void *) &r4;
37	}
38
39	- if (ret)
40	- return -EFAULT;
41	+ if (ret) {
42	+ ret = -EFAULT;
43	+ goto out;
44	+ }
45
46	set_fs (KERNEL_DS);
47	ret = sys_ioctl (fd, cmd, (unsigned long) r);
48	set_fs (old_fs);
49
50	+out:
51	if (mysock)
52	sockfd_put(mysock);
53