| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Oct 2008 00:41:44 -0600 (MDT)
From: jmerkey@...fmountaingroup.com
To: linux-kernel@...r.kernel.org
Subject: Re: do_filp_open fails to detect dentry revalidate of 1 and crashes
>
> On assignment of a negative dentry, do_filp_open will crash with an oops
> in do_sys_open because do_filp_open returns "1" from revalidate rather
> than properly detect a negative dentry which has a dentry revalidate
> function before the file actually exists.
>
>
> Easy to reproduce. Create negative dentry and attach a revalidate
> function which returns 1 instead of 0 on non-existent file entry. The
> convoluted code in do_filp_open does not detect dentry errors in all cases
> properly.
>
> Jeff
>
Correction:
It's vfs_create that fails to check return codes properly.
/*
* Create - we need to know the parent.
*/
error = path_lookup_create(dfd, pathname, LOOKUP_PARENT,
&nd, flag, mode);
////
If ERROR is a positive value, ERR_PTR fails to convert it to a negative
value. This causes the EDI register to get set to "1" after do_filp_open
returns.
////
if (error)
return ERR_PTR(error);
/*
* We have the parent and last component. First of all, check
* that we are not asked to creat(2) an obvious directory - that
* will not do.
*/
error = -EISDIR;
if (nd.last_type != LAST_NORM || nd.last.name[nd.last.len])
goto exit;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists