From: Greg Kroah-Hartman Date: Mon, 7 Nov 2022 15:34:27 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.333~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d7a6bb33927aaf1e99305fa52908b36f761164d0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch fuse-add-file_modified-to-fallocate.patch --- diff --git a/queue-4.14/capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch b/queue-4.14/capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch new file mode 100644 index 00000000000..508d182e969 --- /dev/null +++ b/queue-4.14/capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch @@ -0,0 +1,51 @@ +From 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Tue, 25 Oct 2022 21:33:57 +0800 +Subject: capabilities: fix potential memleak on error path from vfs_getxattr_alloc() + +From: Gaosheng Cui + +commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee upstream. + +In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to +complete the memory allocation of tmpbuf, if we have completed +the memory allocation of tmpbuf, but failed to call handler->get(...), +there will be a memleak in below logic: + + |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...) + | /* ^^^ alloc for tmpbuf */ + |-- value = krealloc(*xattr_value, error + 1, flags) + | /* ^^^ alloc memory */ + |-- error = handler->get(handler, ...) + | /* error! */ + |-- *xattr_value = value + | /* xattr_value is &tmpbuf (memory leak!) */ + +So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it. + +Cc: stable@vger.kernel.org +Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") +Signed-off-by: Gaosheng Cui +Acked-by: Serge Hallyn +[PM: subject line and backtrace tweaks] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/commoncap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -398,8 +398,10 @@ int cap_inode_getsecurity(struct inode * + &tmpbuf, size, GFP_NOFS); + dput(dentry); + +- if (ret < 0 || !tmpbuf) +- return ret; ++ if (ret < 0 || !tmpbuf) { ++ size = ret; ++ goto out_free; ++ } + + fs_ns = inode->i_sb->s_user_ns; + cap = (struct vfs_cap_data *) tmpbuf; diff --git a/queue-4.14/fuse-add-file_modified-to-fallocate.patch b/queue-4.14/fuse-add-file_modified-to-fallocate.patch new file mode 100644 index 00000000000..bc869e575c6 --- /dev/null +++ b/queue-4.14/fuse-add-file_modified-to-fallocate.patch @@ -0,0 +1,33 @@ +From 4a6f278d4827b59ba26ceae0ff4529ee826aa258 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 28 Oct 2022 14:25:20 +0200 +Subject: fuse: add file_modified() to fallocate + +From: Miklos Szeredi + +commit 4a6f278d4827b59ba26ceae0ff4529ee826aa258 upstream. + +Add missing file_modified() call to fuse_file_fallocate(). Without this +fallocate on fuse failed to clear privileges. + +Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3008,6 +3008,10 @@ static long fuse_file_fallocate(struct f + goto out; + } + ++ err = file_modified(file); ++ if (err) ++ goto out; ++ + if (!(mode & FALLOC_FL_KEEP_SIZE)) + set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + diff --git a/queue-4.14/series b/queue-4.14/series index 5eae236a2f3..859df3ff0bc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -24,3 +24,5 @@ bluetooth-l2cap-fix-attempting-to-access-uninitialized-memory.patch block-bfq-protect-bfqd-queued-by-bfqd-lock.patch btrfs-fix-type-of-parameter-generation-in-btrfs_get_dentry.patch tcp-udp-make-early_demux-back-namespacified.patch +capabilities-fix-potential-memleak-on-error-path-from-vfs_getxattr_alloc.patch +fuse-add-file_modified-to-fallocate.patch