From a0598b486ff6b39cf713d0906dbd6be255f44d1b Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@osdl.org>
Date: Wed, 14 Sep 2005 17:36:01 -0700
Subject: [PATCH] Add lost fput/sockfd_put patches from Kirill and Maxim

---
 .../lost-fput-in-32bit-ioctl-on-x86-64.patch  | 66 +++++++++++++++++++
 ...fd_put-in-32bit-compat-routing_ioctl.patch | 53 +++++++++++++++
 queue/series                                  |  2 +
 3 files changed, 121 insertions(+)
 create mode 100644 queue/lost-fput-in-32bit-ioctl-on-x86-64.patch
 create mode 100644 queue/lost-sockfd_put-in-32bit-compat-routing_ioctl.patch

diff --git a/queue/lost-fput-in-32bit-ioctl-on-x86-64.patch b/queue/lost-fput-in-32bit-ioctl-on-x86-64.patch
new file mode 100644
index 00000000000..9fec3a65d23
--- /dev/null
+++ b/queue/lost-fput-in-32bit-ioctl-on-x86-64.patch
@@ -0,0 +1,66 @@
+From chrisw@osdl.org  Fri Sep  9 13:05:53 2005
+Date: Fri, 9 Sep 2005 13:05:53 -0700
+From: Chris Wright <chrisw@osdl.org>
+To: Kirill Korotaev <dev@sw.ru>
+Cc: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
+        Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
+        Maxim Giryaev <gem@sw.ru>
+Subject: [PATCH] lost fput in 32bit ioctl on x86-64
+
+From: Maxim Giryaev <gem@sw.ru>
+
+This patch adds lost fput in 32bit tiocgdev ioctl on x86-64
+
+I believe this is a security issues, since user can fget() file as
+many times as he wants to. So file refcounter can be overlapped and
+first fput() will free resources though there will be still structures
+pointing to the file, mnt, dentry etc.  Also fput() sets f_dentry and
+f_vfsmnt to NULL, so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this is really
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+(chrisw: Update to use fget_light/fput_light)
+
+Signed-Off-By: Kirill Korotaev <dev@sw.ru>
+Signed-Off-By: Maxim Giryaev <gem@sw.ru>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ arch/x86_64/ia32/ia32_ioctl.c |   17 +++++++++++++----
+ 1 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
++++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
+@@ -24,17 +24,26 @@
+ static int tiocgdev(unsigned fd, unsigned cmd,  unsigned int __user *ptr) 
+ { 
+ 
+-	struct file *file = fget(fd);
++	struct file *file;
+ 	struct tty_struct *real_tty;
++	int fput_needed, ret;
+ 
++	file = fget_light(fd, &fput_needed);
+ 	if (!file)
+ 		return -EBADF;
++
++	ret = -EINVAL;
+ 	if (file->f_op->ioctl != tty_ioctl)
+-		return -EINVAL; 
++		goto out;
+ 	real_tty = (struct tty_struct *)file->private_data;
+ 	if (!real_tty) 	
+-		return -EINVAL; 
+-	return put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
++		goto out;
++
++	ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
++
++out:
++	fput_light(file, fput_needed);
++	return ret;
+ } 
+ 
+ #define RTC_IRQP_READ32	_IOR('p', 0x0b, unsigned int)	 /* Read IRQ rate   */
diff --git a/queue/lost-sockfd_put-in-32bit-compat-routing_ioctl.patch b/queue/lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
new file mode 100644
index 00000000000..d0a4c0230a8
--- /dev/null
+++ b/queue/lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
@@ -0,0 +1,53 @@
+From dev@sw.ru  Fri Sep  9 02:55:06 2005
+Date: Fri, 09 Sep 2005 13:59:48 +0400
+From: Kirill Korotaev <dev@sw.ru>
+To: security@kernel.org, Linus Torvalds <torvalds@osdl.org>,
+        Andrew Morton <akpm@osdl.org>, Chris Wright <chrisw@osdl.org>,
+        "Maxim Giryaev" <gem@sw.ru>
+Subject: [PATCH] Lost sockfd_put() in routing_ioctl()
+
+From: "Maxim Giryaev" <gem@sw.ru>
+
+This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 
+64bit platforms
+
+I believe this is a security issues, since user can fget() file as many 
+times as he wants to. So file refcounter can be overlapped and first 
+fput() will free resources though there will be still structures 
+pointing to the file, mnt, dentry etc.
+Also fput() sets f_dentry and f_vfsmnt to NULL,
+so other file users will OOPS.
+
+The oops can be done under files_lock and others, so this can be an 
+exploitable DoS on SMP. Didn't checked it on practice actually.
+
+Signed-Off-By: Kirill Korotaev <dev@sw.ru>
+Signed-Off-By: Maxim Giryaev <gem@sw.ru>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+ fs/compat_ioctl.c |    7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/fs/compat_ioctl.c
+===================================================================
+--- linux-2.6.13.y.orig/fs/compat_ioctl.c
++++ linux-2.6.13.y/fs/compat_ioctl.c
+@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
+ 		r = (void *) &r4;
+ 	}
+ 
+-	if (ret)
+-		return -EFAULT;
++	if (ret) {
++		ret = -EFAULT;
++		goto out;
++	}
+ 
+ 	set_fs (KERNEL_DS);
+ 	ret = sys_ioctl (fd, cmd, (unsigned long) r);
+ 	set_fs (old_fs);
+ 
++out:
+ 	if (mysock)
+ 		sockfd_put(mysock);
+ 
diff --git a/queue/series b/queue/series
index c86eee273f5..72df7a5648b 100644
--- a/queue/series
+++ b/queue/series
@@ -1,3 +1,5 @@
+lost-fput-in-32bit-ioctl-on-x86-64.patch
+lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
 forcedeth-init-link-settings-in-nv_open.patch
 hpt366-write-dword-not-byte-for-ROM-resource.patch
 sungem-enable-and-map-pci-rom-properly.patch
-- 
2.47.3