[patch 08/18] hfs_fill_super returns success even if no root inode (CVE-2006-6056)

From: Greg KH
Date: Tue Feb 20 2007 - 20:57:21 EST

Next message: Greg KH: "[patch 07/18] grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)"
Previous message: Greg KH: "[patch 05/18] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G"
In reply to: Greg KH: "[patch 05/18] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G"
Next in thread: Greg KH: "[patch 07/18] grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Eric Sandeen <sandeen@xxxxxxxxxx>

http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html

mount that image...
fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only.
hfs: get root inode failed.
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
printing eip
...
EIP is at superblock_doinit+0x21/0x767
...
[] selinux_sb_kern_mount+0xc/0x4b
[] vfs_kern_mount+0x99/0xf6
[] do_kern_mount+0x2d/0x3e
[] do_mount+0x5fa/0x66d
[] sys_mount+0x77/0xae
[] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb

hfs_fill_super() returns success even if
root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
or
sb->s_root = d_alloc_root(root_inode);

fails. This superblock finds its way to superblock_doinit() which does:

struct dentry *root = sb->s_root;
struct inode *inode = root->d_inode;

and boom. Need to make sure the error cases return an error, I think.

[akpm@xxxxxxxx: return -ENOMEM on oom]
Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx>
Cc: Roman Zippel <zippel@xxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
Subject: [patch 08/18] [PATCH] hfs_fill_super returns success even if no root inode
X-Git-Tag: v2.6.19
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22

fs/hfs/super.c | 2 ++
1 file changed, 2 insertions(+)

--- linux-2.6.18.7.orig/fs/hfs/super.c
+++ linux-2.6.18.7/fs/hfs/super.c
@@ -391,11 +391,13 @@ static int hfs_fill_super(struct super_b
hfs_find_exit(&fd);
goto bail_no_root;
}
+ res = -EINVAL;
root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
hfs_find_exit(&fd);
if (!root_inode)
goto bail_no_root;

+ res = -ENOMEM;
sb->s_root = d_alloc_root(root_inode);
if (!sb->s_root)
goto bail_iput;

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 07/18] grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)"
Previous message: Greg KH: "[patch 05/18] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G"
In reply to: Greg KH: "[patch 05/18] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G"
Next in thread: Greg KH: "[patch 07/18] grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]