[patch 08/18] hfs_fill_super returns success even if no root inode (CVE-2006-6056)

Tue, 20 Feb 2007 18:04:19 -0800 

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Eric Sandeen <[EMAIL PROTECTED]>

http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html

mount that image...
fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  
mounting read-only.
hfs: get root inode failed.
BUG: unable to handle kernel NULL pointer dereference at virtual address 
00000018
 printing eip
...
EIP is at superblock_doinit+0x21/0x767
...
 [] selinux_sb_kern_mount+0xc/0x4b
 [] vfs_kern_mount+0x99/0xf6
 [] do_kern_mount+0x2d/0x3e
 [] do_mount+0x5fa/0x66d
 [] sys_mount+0x77/0xae
 [] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb

hfs_fill_super() returns success even if
  root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
or
  sb->s_root = d_alloc_root(root_inode);

fails.  This superblock finds its way to superblock_doinit() which does:

        struct dentry *root = sb->s_root;
        struct inode *inode = root->d_inode;

and boom.  Need to make sure the error cases return an error, I think.

[EMAIL PROTECTED]: return -ENOMEM on oom]
Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
Cc: Roman Zippel <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
---
Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
Subject: [patch 08/18] [PATCH] hfs_fill_super returns success even if no root 
inode
X-Git-Tag: v2.6.19
X-Git-Url: 
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22

 fs/hfs/super.c |    2 ++
 1 file changed, 2 insertions(+)

--- linux-2.6.18.7.orig/fs/hfs/super.c
+++ linux-2.6.18.7/fs/hfs/super.c
@@ -391,11 +391,13 @@ static int hfs_fill_super(struct super_b
                hfs_find_exit(&fd);
                goto bail_no_root;
        }
+       res = -EINVAL;
        root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
        hfs_find_exit(&fd);
        if (!root_inode)
                goto bail_no_root;
 
+       res = -ENOMEM;
        sb->s_root = d_alloc_root(root_inode);
        if (!sb->s_root)
                goto bail_iput;

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to