[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Dec 2016 16:34:31 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Mark Salyzyn <salyzyn@...roid.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
aneesh.kumar@...ux.vnet.ibm.com, Jan Kara <jack@...e.cz>
Subject: Re: CVE-2016-7097 causes acl leak
On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@...roid.com> wrote:
> Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
> an acl leak.
>
> posix_acl_update_mode(inose, &mode, &acl);
>
> . . .
>
> posix_acl_release(acl);
>
>
> acl is NULLed in posix_acl_update_mode to signal caller to not update the
> acl; but because it is nulled, it is never released.
I think you blame the wrong commit, this leak exists before that commit.
Looks like we should just release it before NULL'ing.
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 5955220..edd862a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
umode_t *mode_p,
error = posix_acl_equiv_mode(*acl, &mode);
if (error < 0)
return error;
- if (error == 0)
+ if (error == 0) {
+ posix_acl_release(*acl);
*acl = NULL;
+ }
if (!in_group_p(inode->i_gid) &&
!capable_wrt_inode_uidgid(inode, CAP_FSETID))
mode &= ~S_ISGID;
Powered by blists - more mailing lists