| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jan 2010 19:51:00 +0000 From: Al Viro <viro@...IV.linux.org.uk> To: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp> Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH 2/2] vfs: Fix refcnt leak with __do_follow_link() in do_filp_open() On Tue, Jan 12, 2010 at 03:35:13AM +0900, OGAWA Hirofumi wrote: > Hi, > > I noticed refcnt leak in do_filp_open() by recent change. Could you > review this one? > > > __do_follow_link() handles "nd->path and path" refcnt by special way. > If path->mnt == nd->path.mnt (i.e. those is sharing the refcnt), it > gets refcnt of path->mnt, to make simple error path of it. > > So, we can't call __do_follow_link() twice without special care, > because it will get refcnt of path->mnt twice. (i.e. current > do_filp_open() is leaking path->mnt if first __do_follow_link() > returned -ESTALE and path->mnt != nd->path.mnt) > > This moves the special refcnt handling from __do_follow_link() as > path_unshare_refcnt(). Then call it once for that do_filp_open() path. Point, but... that's not the way I'd do it (again, see #untested for the direction it's heading). What we ought to do is simply "put ourselves in trust-no-one mode (LOOKUP_REVAL) and restart the entire thing; if we'd already been through that, fail immediately". And yes, it needs to be pulled in front of queue and go in before .34. Will do shortly. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists