[PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Miloslav Semler <majkls@prepere.com>
To: linux-kernel@vger.kernel.org
Subject: [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)
Date: Sun, 23 Sep 2007 18:49:00 +0200	[thread overview]
Message-ID: <46F698FC.4040304@prepere.com> (raw)

This patch solves CVE-2007-3104  - sysfs_readdir oops.
More can be found here: 
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commit;h=dc351252b33f8fede396d6173dba117bcb933607

Signed-off-by: Miloslav Semler
---
diff -uprN linux-2.6.16.53/fs/sysfs/dir.c linux-2.6.16.53-new/fs/sysfs/dir.c
--- linux-2.6.16.53/fs/sysfs/dir.c      2007-07-25 23:05:45.000000000 +0200
+++ linux-2.6.16.53-new/fs/sysfs/dir.c  2007-09-23 18:18:09.000000000 +0200
@@ -29,6 +29,14 @@ static struct dentry_operations sysfs_de
        .d_iput         = sysfs_d_iput,
 };

+static unsigned int sysfs_inode_counter;
+ino_t sysfs_get_inum(void)
+{
+       if (unlikely(sysfs_inode_counter < 3))
+               sysfs_inode_counter = 3;
+       return sysfs_inode_counter++;
+}
+
 /*
  * Allocates a new sysfs_dirent and links it to the parent sysfs_dirent
  */
@@ -40,8 +48,10 @@ static struct sysfs_dirent * sysfs_new_d
        sd = kmem_cache_alloc(sysfs_dir_cachep, GFP_KERNEL);
        if (!sd)
                return NULL;
+

        memset(sd, 0, sizeof(*sd));
+       sd->s_ino = sysfs_get_inum();
        atomic_set(&sd->s_count, 1);
        INIT_LIST_HEAD(&sd->s_children);
        list_add(&sd->s_sibling, &parent_sd->s_children);
@@ -385,7 +395,7 @@ static int sysfs_readdir(struct file * f

        switch (i) {
                case 0:
-                       ino = dentry->d_inode->i_ino;
+                        ino = parent_sd->s_ino;
                        if (filldir(dirent, ".", 1, i, ino, DT_DIR) < 0)
                                break;
                        filp->f_pos++;
@@ -415,10 +425,7 @@ static int sysfs_readdir(struct file * f

                                name = sysfs_get_name(next);
                                len = strlen(name);
-                               if (next->s_dentry)
-                                       ino = 
next->s_dentry->d_inode->i_ino;
-                               else
-                                       ino = iunique(sysfs_sb, 2);
+                                ino = next->s_ino;

                                if (filldir(dirent, name, len, 
filp->f_pos, ino,
                                                 dt_type(next)) < 0)
diff -uprN linux-2.6.16.53/fs/sysfs/inode.c 
linux-2.6.16.53-new/fs/sysfs/inode.c
--- linux-2.6.16.53/fs/sysfs/inode.c    2007-07-25 23:05:45.000000000 +0200
+++ linux-2.6.16.53-new/fs/sysfs/inode.c        2007-09-23 
18:18:09.000000000 +0200
@@ -119,6 +119,7 @@ struct inode * sysfs_new_inode(mode_t mo
                inode->i_mapping->a_ops = &sysfs_aops;
                inode->i_mapping->backing_dev_info = 
&sysfs_backing_dev_info;
                inode->i_op = &sysfs_inode_operations;
+                inode->i_ino = sd->s_ino;

                if (sd->s_iattr) {
                        /* sysfs_dirent has non-default attributes
diff -uprN linux-2.6.16.53/fs/sysfs/mount.c 
linux-2.6.16.53-new/fs/sysfs/mount.c
--- linux-2.6.16.53/fs/sysfs/mount.c    2007-07-25 23:05:45.000000000 +0200
+++ linux-2.6.16.53-new/fs/sysfs/mount.c        2007-09-23 
18:18:09.000000000 +0200
@@ -29,6 +29,7 @@ static struct sysfs_dirent sysfs_root =
        .s_element      = NULL,
        .s_type         = SYSFS_ROOT,
        .s_iattr        = NULL,
+        .s_ino          = 1,
 };

 static int sysfs_fill_super(struct super_block *sb, void *data, int silent)
diff -uprN linux-2.6.16.53/include/linux/sysfs.h 
linux-2.6.16.53-new/include/linux/sysfs.h
--- linux-2.6.16.53/include/linux/sysfs.h       2007-07-25 
23:05:45.000000000 +0200
+++ linux-2.6.16.53-new/include/linux/sysfs.h   2007-09-23 
18:18:09.000000000 +0200
@@ -72,6 +72,7 @@ struct sysfs_dirent {
        void                    * s_element;
        int                     s_type;
        umode_t                 s_mode;
+        ino_t                   s_ino;
        struct dentry           * s_dentry;
        struct iattr            * s_iattr;
 };

next             reply	other threads:[~2007-09-23 16:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-09-23 16:49 Miloslav Semler [this message]
2007-09-24 14:28 ` [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104) Jiri Kosina
  -- strict thread matches above, loose matches on Subject: below --
2007-09-27 12:25 Miloslav Semler
2007-10-07 16:32 ` Adrian Bunk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46F698FC.4040304@prepere.com \
    --to=majkls@prepere.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.