| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3a180415-2f02-c9c0-e1e6-519b5d3115b7@android.com>
Date: Mon, 12 Dec 2016 16:26:00 -0800
From: Mark Salyzyn <salyzyn@...roid.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
aneesh.kumar@...ux.vnet.ibm.com, Jan Kara <jack@...e.cz>
Subject: Re: CVE-2016-7097 causes acl leak
On 12/11/2016 04:34 PM, Cong Wang wrote:
> On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@...roid.com> wrote:
>> Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
>> an acl leak.
>>
>> posix_acl_update_mode(inose, &mode, &acl);
>>
>> . . .
>>
>> posix_acl_release(acl);
>>
>>
>> acl is NULLed in posix_acl_update_mode to signal caller to not update the
>> acl; but because it is nulled, it is never released.
> I think you blame the wrong commit, this leak exists before that commit.
> Looks like we should just release it before NULL'ing.
>
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> index 5955220..edd862a 100644
> --- a/fs/posix_acl.c
> +++ b/fs/posix_acl.c
> @@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
> umode_t *mode_p,
> error = posix_acl_equiv_mode(*acl, &mode);
> if (error < 0)
> return error;
> - if (error == 0)
> + if (error == 0) {
> + posix_acl_release(*acl);
> *acl = NULL;
> + }
> if (!in_group_p(inode->i_gid) &&
> !capable_wrt_inode_uidgid(inode, CAP_FSETID))
> mode &= ~S_ISGID;
The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
-- Mark
Powered by blists - more mailing lists