lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun,  4 Mar 2007 20:55:02 -0500
From:	"Josef 'Jeff' Sipek" <jsipek@...sunysb.edu>
To:	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org
Cc:	Erez Zadok <ezk@...sunysb.edu>,
	"Josef 'Jeff' Sipek" <jsipek@...sunysb.edu>
Subject: [PATCH 12/13] fs/unionfs/: Fix dentry leak in copyup_named_dentry

From: Erez Zadok <ezk@...sunysb.edu>

When we chmod a directory on a readonly branch, and have to copy it up, we
forget to dput(). If this was a file, it gets dput indirectly through other
functions we call, but not if it was a directory.

Signed-off-by: Erez Zadok <ezk@...sunysb.edu>
Signed-off-by: Josef 'Jeff' Sipek <jsipek@...sunysb.edu>
---
 fs/unionfs/copyup.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/unionfs/copyup.c b/fs/unionfs/copyup.c
index e0075ca..e24d940 100644
--- a/fs/unionfs/copyup.c
+++ b/fs/unionfs/copyup.c
@@ -352,20 +352,18 @@ static int copyup_named_dentry(struct inode *dir, struct dentry *dentry,
 
 	unionfs_read_lock(sb);
 
-	if ((err = is_robranch_super(sb, new_bindex))) {
-		dput(old_hidden_dentry);
+	if ((err = is_robranch_super(sb, new_bindex)))
 		goto out;
-	}
 
 	/* Create the directory structure above this dentry. */
 	new_hidden_dentry = create_parents_named(dir, dentry, name, new_bindex);
 	if (IS_ERR(new_hidden_dentry)) {
-		dput(old_hidden_dentry);
 		err = PTR_ERR(new_hidden_dentry);
 		goto out;
 	}
 
 	old_hidden_dentry = unionfs_lower_dentry_idx(dentry, old_bindex);
+	/* we conditionally dput this old_hidden_dentry at end of function */
 	dget(old_hidden_dentry);
 
 	/* For symlinks, we must read the link before we lock the directory. */
@@ -460,6 +458,14 @@ out_unlock:
 	unlock_dir(new_hidden_parent_dentry);
 
 out_free:
+	/*
+	 * If old_hidden_dentry was a directory, we need to dput it.  If it
+	 * was a file, then it was already dput indirectly by other
+	 * functions we call ablve which operate on regular files.
+	 */
+	if (old_hidden_dentry && old_hidden_dentry->d_inode &&
+	    S_ISDIR(old_hidden_dentry->d_inode->i_mode))
+		dput(old_hidden_dentry);
 	kfree(symbuf);
 
 out:
-- 
1.5.0.2.260.g2eb065

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ