--- /dev/null
+From chrisw@osdl.org Fri Sep 9 13:05:53 2005
+Date: Fri, 9 Sep 2005 13:05:53 -0700
+From: Chris Wright <chrisw@osdl.org>
+To: Kirill Korotaev <dev@sw.ru>
+Cc: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
+ Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
+ Maxim Giryaev <gem@sw.ru>
+Subject: [PATCH] lost fput in 32bit ioctl on x86-64
+
+From: Maxim Giryaev <gem@sw.ru>
+
+This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
+
+I believe this is a security issues, since user can fget() file as
+many times as he wants to. So file refcounter can be overlapped and
+first fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc. Also fput() sets f_dentry and
+f_vfsmnt to NULL, so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this is really
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+(chrisw: Update to use fget_light/fput_light)
+
+Signed-Off-By: Kirill Korotaev <dev@sw.ru>
+Signed-Off-By: Maxim Giryaev <gem@sw.ru>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ arch/x86_64/ia32/ia32_ioctl.c | 17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
++++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+@@ -24,17 +24,26 @@
+ static int tiocgdev(unsigned fd, unsigned cmd, unsigned int __user *ptr)
+ {
+
+- struct file *file = fget(fd);
++ struct file *file;
+ struct tty_struct *real_tty;
++ int fput_needed, ret;
+
++ file = fget_light(fd, &fput_needed);
+ if (!file)
+ return -EBADF;
++
++ ret = -EINVAL;
+ if (file->f_op->ioctl != tty_ioctl)
+- return -EINVAL;
++ goto out;
+ real_tty = (struct tty_struct *)file->private_data;
+ if (!real_tty)
+- return -EINVAL;
+- return put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
++ goto out;
++
++ ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr);
++
++out:
++ fput_light(file, fput_needed);
++ return ret;
+ }
+
+ #define RTC_IRQP_READ32 _IOR('p', 0x0b, unsigned int) /* Read IRQ rate */
--- /dev/null
+From dev@sw.ru Fri Sep 9 02:55:06 2005
+Date: Fri, 09 Sep 2005 13:59:48 +0400
+From: Kirill Korotaev <dev@sw.ru>
+To: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
+ Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
+ "Maxim Giryaev" <gem@sw.ru>
+Subject: [PATCH] Lost sockfd_put() in routing_ioctl()
+
+From: "Maxim Giryaev" <gem@sw.ru>
+
+This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
+64bit platforms
+
+I believe this is a security issues, since user can fget() file as many
+times as he wants to. So file refcounter can be overlapped and first
+fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc.
+Also fput() sets f_dentry and f_vfsmnt to NULL,
+so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this can be an
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+Signed-Off-By: Kirill Korotaev <dev@sw.ru>
+Signed-Off-By: Maxim Giryaev <gem@sw.ru>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ fs/compat_ioctl.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/fs/compat_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/fs/compat_ioctl.c
++++ linux-2.6.13.y/fs/compat_ioctl.c
+@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
+ r = (void *) &r4;
+ }
+
+- if (ret)
+- return -EFAULT;
++ if (ret) {
++ ret = -EFAULT;
++ goto out;
++ }
+
+ set_fs (KERNEL_DS);
+ ret = sys_ioctl (fd, cmd, (unsigned long) r);
+ set_fs (old_fs);
+
++out:
+ if (mysock)
+ sockfd_put(mysock);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
