From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jeff Layton <jlayton@redhat.com>,
Steve French <sfrench@us.ibm.com>
Subject: [ 08/40] cifs: ensure that cifs_get_root() only traverses directories
Date: Tue, 12 Mar 2013 15:43:29 -0700 [thread overview]
Message-ID: <20130312223212.375138897@linuxfoundation.org> (raw)
In-Reply-To: <20130312223211.492954675@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@redhat.com>
commit ce2ac52105aa663056dfc17966ebed1bf93e6e64 upstream.
Kjell Braden reported this oops:
[ 833.211970] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 833.212816] IP: [< (null)>] (null)
[ 833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0
[ 833.213874] Oops: 0010 [#1] SMP
[ 833.214344] CPU 0
[ 833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000
[ 833.215629]
[ 833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9a0+ #18 innotek GmbH VirtualBox/VirtualBox
[ 833.215629] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
[ 833.215629] RSP: 0018:ffff8800119c9c50 EFLAGS: 00010282
[ 833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000
[ 833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8
[ 833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7
[ 833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8
[ 833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6
[ 833.215629] FS: 00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
[ 833.215629] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0
[ 833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0)
[ 833.215629] Stack:
[ 833.215629] ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286
[ 833.215629] 0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8
[ 833.215629] ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0
[ 833.215629] Call Trace:
[ 833.215629] [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90
[ 833.215629] [<ffffffff81178075>] ? d_lookup+0x35/0x60
[ 833.215629] [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0
[ 833.215629] [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0
[ 833.215629] [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20
[ 833.215629] [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs]
[ 833.215629] [<ffffffff81163bd3>] mount_fs+0x43/0x1b0
[ 833.215629] [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0
[ 833.215629] [<ffffffff8117e584>] do_kern_mount+0x54/0x110
[ 833.215629] [<ffffffff8117fdc2>] do_mount+0x262/0x840
[ 833.215629] [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50
[ 833.215629] [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180
[ 833.215629] [<ffffffff8118075d>] sys_mount+0x8d/0xe0
[ 833.215629] [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b
[ 833.215629] Code: Bad RIP value.
[ 833.215629] RIP [< (null)>] (null)
[ 833.215629] RSP <ffff8800119c9c50>
[ 833.215629] CR2: 0000000000000000
[ 833.238525] ---[ end trace ec00758b8d44f529 ]---
When walking down the path on the server, it's possible to hit a
symlink. The path walking code assumes that the caller will handle that
situation properly, but cifs_get_root() isn't set up for it. This patch
prevents the oops by simply returning an error.
A better solution would be to try and chase the symlinks here, but that's
fairly complicated to handle.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=53221
Reported-and-tested-by: Kjell Braden <afflux@pentabarf.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsfs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -557,6 +557,11 @@ cifs_get_root(struct smb_vol *vol, struc
dentry = ERR_PTR(-ENOENT);
break;
}
+ if (!S_ISDIR(dir->i_mode)) {
+ dput(dentry);
+ dentry = ERR_PTR(-ENOTDIR);
+ break;
+ }
/* skip separators */
while (*s == sep)
next prev parent reply other threads:[~2013-03-12 22:43 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-12 22:43 [ 00/40] 3.4.36-stable review Greg Kroah-Hartman
2013-03-12 22:43 ` [ 01/40] ARM: VFP: fix emulation of second VFP instruction Greg Kroah-Hartman
2013-03-12 22:43 ` [ 02/40] ARM: fix scheduling while atomic warning in alignment handling code Greg Kroah-Hartman
2013-03-12 22:43 ` [ 03/40] xen/pci: We dont do multiple MSIs Greg Kroah-Hartman
2013-03-12 22:43 ` [ 04/40] SCSI: dc395x: uninitialized variable in device_alloc() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 05/40] SCSI: storvsc: Initialize the sglist Greg Kroah-Hartman
2013-03-12 22:43 ` [ 06/40] target/pscsi: Fix page increment Greg Kroah-Hartman
2013-03-12 22:43 ` [ 07/40] btrfs: Init io_lock after cloning btrfs device struct Greg Kroah-Hartman
2013-03-12 22:43 ` Greg Kroah-Hartman [this message]
2013-03-12 22:43 ` [ 09/40] NFS: Dont allow NFS silly-renamed files to be deleted, no signal Greg Kroah-Hartman
2013-03-12 22:43 ` [ 10/40] SUNRPC: Dont start the retransmission timer when out of socket space Greg Kroah-Hartman
2013-03-12 22:43 ` [ 11/40] ata_piix: reenable MS Virtual PC guests Greg Kroah-Hartman
2013-03-12 22:43 ` [ 12/40] hw_random: make buffer usable in scatterlist Greg Kroah-Hartman
2013-03-13 22:54 ` Satoru Takeuchi
2013-03-14 6:41 ` Rusty Russell
2013-03-14 13:24 ` [PATCH] hw_random: free rng_buffer at module exit Satoru Takeuchi
2013-03-15 5:05 ` Rusty Russell
2013-03-17 2:14 ` Ben Hutchings
2013-03-18 2:40 ` Rusty Russell
2013-03-20 0:29 ` Satoru Takeuchi
2013-03-12 22:43 ` [ 13/40] mwifiex: correct sleep delay counter Greg Kroah-Hartman
2013-03-12 22:43 ` [ 14/40] ath9k: fix RSSI dummy marker value Greg Kroah-Hartman
2013-03-12 22:43 ` [ 15/40] ath9k_hw: improve reset reliability after errors Greg Kroah-Hartman
2013-03-12 22:43 ` [ 16/40] md: protect against crash upon fsync on ro array Greg Kroah-Hartman
2013-03-12 22:43 ` [ 17/40] md: fix two bugs when attempting to resize RAID0 array Greg Kroah-Hartman
2013-03-12 22:43 ` [ 18/40] md: raid0: fix error return from create_stripe_zones Greg Kroah-Hartman
2013-03-12 22:43 ` [ 19/40] hwmon: (sht15) Check return value of regulator_enable() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 20/40] hwmon: (pmbus/ltc2978) Fix peak attribute handling Greg Kroah-Hartman
2013-03-12 22:43 ` [ 21/40] hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality Greg Kroah-Hartman
2013-03-12 22:43 ` [ 22/40] drm/radeon: add primary dac adj quirk for R200 board Greg Kroah-Hartman
2013-03-12 22:43 ` [ 23/40] ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit Greg Kroah-Hartman
2013-03-12 22:43 ` [ 24/40] ALSA: ice1712: Initialize card->private_data properly Greg Kroah-Hartman
2013-03-12 22:43 ` [ 25/40] ALSA: vmaster: Fix slave change notification Greg Kroah-Hartman
2013-03-12 22:43 ` [ 26/40] e1000e: fix pci-device enable-counter balance Greg Kroah-Hartman
2013-03-12 22:43 ` [ 27/40] HID: logitech-dj: do not directly call hid_output_raw_report() during probe Greg Kroah-Hartman
2013-03-12 22:43 ` [ 28/40] xen/pat: Disable PAT using pat_enabled value Greg Kroah-Hartman
2013-03-12 22:43 ` [ 29/40] crypto: user - fix info leaks in report API Greg Kroah-Hartman
2013-03-12 22:43 ` [ 30/40] keys: fix race with concurrent install_user_keyrings() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 31/40] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Greg Kroah-Hartman
2013-03-12 22:43 ` [ 32/40] vfs: fix pipe counter breakage Greg Kroah-Hartman
2013-03-12 22:43 ` [ 33/40] rtc: rtc-mv: Add support for clk to avoid lockups Greg Kroah-Hartman
2013-03-12 23:08 ` Jason Cooper
2013-03-12 23:15 ` Greg Kroah-Hartman
2013-03-12 22:43 ` [ 34/40] Fix memory leak in cpufreq stats Greg Kroah-Hartman
2013-03-12 22:43 ` [ 35/40] ftrace: Update the kconfig for DYNAMIC_FTRACE Greg Kroah-Hartman
2013-03-12 22:43 ` [ 36/40] dmi_scan: fix missing check for _DMI_ signature in smbios_present() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 37/40] USB: Dont use EHCI port sempahore for USB 3.0 hubs Greg Kroah-Hartman
2013-03-12 22:43 ` [ 38/40] USB: Prepare for refactoring by adding extra udev checks Greg Kroah-Hartman
2013-03-12 22:44 ` [ 39/40] USB: Rip out recursive call on warm port reset Greg Kroah-Hartman
2013-03-12 22:44 ` [ 40/40] Revert "ALSA: hda - hdmi: Make jacks phantom, if theyre not detectable" Greg Kroah-Hartman
2013-03-13 3:57 ` [ 00/40] 3.4.36-stable review Shuah Khan
2013-03-14 13:39 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130312223212.375138897@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jlayton@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sfrench@us.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).