From: Jan Kara <jack@suse.cz>
To: Mark Salyzyn <salyzyn@android.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
aneesh.kumar@linux.vnet.ibm.com, Jan Kara <jack@suse.cz>
Subject: Re: CVE-2016-7097 causes acl leak
Date: Tue, 13 Dec 2016 12:17:34 +0100 [thread overview]
Message-ID: <20161213111734.GD15362@quack2.suse.cz> (raw)
In-Reply-To: <3a180415-2f02-c9c0-e1e6-519b5d3115b7@android.com>
On Mon 12-12-16 16:26:00, Mark Salyzyn wrote:
> On 12/11/2016 04:34 PM, Cong Wang wrote:
> >On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@android.com> wrote:
> >>Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
> >>an acl leak.
> >>
> >>posix_acl_update_mode(inose, &mode, &acl);
> >>
> >>. . .
> >>
> >>posix_acl_release(acl);
> >>
> >>
> >>acl is NULLed in posix_acl_update_mode to signal caller to not update the
> >>acl; but because it is nulled, it is never released.
> >I think you blame the wrong commit, this leak exists before that commit.
> >Looks like we should just release it before NULL'ing.
> >
> >diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> >index 5955220..edd862a 100644
> >--- a/fs/posix_acl.c
> >+++ b/fs/posix_acl.c
> >@@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
> >umode_t *mode_p,
> > error = posix_acl_equiv_mode(*acl, &mode);
> > if (error < 0)
> > return error;
> >- if (error == 0)
> >+ if (error == 0) {
> >+ posix_acl_release(*acl);
> > *acl = NULL;
> >+ }
> > if (!in_group_p(inode->i_gid) &&
> > !capable_wrt_inode_uidgid(inode, CAP_FSETID))
> > mode &= ~S_ISGID;
>
> The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
So I agree 9p leaks acl reference (and it was buggy even before my commit).
GFS2, JFS, and XFS seem to be OK as far as I can tell.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
prev parent reply other threads:[~2016-12-13 11:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 17:16 CVE-2016-7097 causes acl leak Mark Salyzyn
2016-12-11 18:48 ` Greg KH
2016-12-12 0:34 ` Cong Wang
2016-12-12 10:46 ` Jan Kara
2016-12-12 21:10 ` Cong Wang
2016-12-13 0:26 ` Mark Salyzyn
2016-12-13 6:26 ` Cong Wang
2016-12-13 11:28 ` Jan Kara
2016-12-13 23:56 ` Cong Wang
2016-12-13 15:55 ` Mark Salyzyn
2016-12-13 16:07 ` Jan Kara
2016-12-13 23:42 ` Mark Salyzyn
2016-12-14 0:00 ` Greg KH
2016-12-14 20:20 ` Mark Salyzyn
2016-12-14 23:30 ` Greg KH
2016-12-15 15:22 ` Mark Salyzyn
2016-12-15 16:32 ` Jan Kara
2016-12-13 11:17 ` Jan Kara [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161213111734.GD15362@quack2.suse.cz \
--to=jack@suse.cz \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=salyzyn@android.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox