linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: [7/9] fix braindamage in audit_tree.c untag_chunk()
Date: Thu, 14 Jan 2010 14:46:43 -0800	[thread overview]
Message-ID: <20100114224807.227254692@mini.kroah.org> (raw)
In-Reply-To: <20100114224848.GA532@kroah.com>

2.6.31-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream.

... aka "Al had badly fscked up when writing that thing and nobody
noticed until Eric had fixed leaks that used to mask the breakage".

The function essentially creates a copy of old array sans one element
and replaces the references to elements of original (they are on cyclic
lists) with those to corresponding elements of new one.  After that the
old one is fair game for freeing.

First of all, there's a dumb braino: when we get to list_replace_init we
use indices for wrong arrays - position in new one with the old array
and vice versa.

Another bug is more subtle - termination condition is wrong if the
element to be excluded happens to be the last one.  We shouldn't go
until we fill the new array, we should go until we'd finished the old
one.  Otherwise the element we are trying to kill will remain on the
cyclic lists...

That crap used to be masked by several leaks, so it was not quite
trivial to hit.  Eric had fixed some of those leaks a while ago and the
shit had hit the fan...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 kernel/audit_tree.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -277,7 +277,7 @@ static void untag_chunk(struct node *p)
 		owner->root = NULL;
 	}
 
-	for (i = j = 0; i < size; i++, j++) {
+	for (i = j = 0; j <= size; i++, j++) {
 		struct audit_tree *s;
 		if (&chunk->owners[j] == p) {
 			list_del_init(&p->list);
@@ -290,7 +290,7 @@ static void untag_chunk(struct node *p)
 		if (!s) /* result of earlier fallback */
 			continue;
 		get_tree(s);
-		list_replace_init(&chunk->owners[i].list, &new->owners[j].list);
+		list_replace_init(&chunk->owners[j].list, &new->owners[i].list);
 	}
 
 	list_replace_rcu(&chunk->hash, &new->hash);



  parent reply	other threads:[~2010-01-14 22:53 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-14 22:48 [0/9] 2.6.31.12-stable review Greg KH
2010-01-14 22:46 ` [1/9] fasync: split fasync_helper() into separate add/remove functions Greg KH
2010-01-14 22:46 ` [2/9] hwmon: (adt7462) Fix pin 28 monitoring Greg KH
2010-01-14 22:46 ` [3/9] kernel/signal.c: fix kernel information leak with print-fatal-signals=1 Greg KH
2010-01-14 22:46 ` [4/9] netfilter: ebtables: enforce CAP_NET_ADMIN Greg KH
2010-01-14 22:46 ` [5/9] netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() Greg KH
2010-01-14 22:46 ` [6/9] quota: Fix dquot_transfer for filesystems different from ext4 Greg KH
2010-01-14 22:46 ` Greg KH [this message]
2010-01-14 22:46 ` [8/9] fix more leaks in audit_tree.c tag_chunk() Greg KH
2010-01-14 22:46 ` [9/9] ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() Greg KH
2010-01-16 19:03 ` [0/9] 2.6.31.12-stable review Ozan Çağlayan
2010-01-16 19:07   ` H. Peter Anvin
2010-01-17  3:23   ` [stable] " Greg KH
2010-01-17 16:07     ` Ozan Çağlayan
2010-01-17 16:18       ` Greg KH
2010-01-17 16:30         ` Ozan Çağlayan
2010-01-17 18:02         ` Henrique de Moraes Holschuh
2010-01-18  5:42           ` Greg KH
2010-01-18  7:49         ` [Stable-review] " Nikola Ciprich
2010-01-19  4:07           ` [stable] [Stable-review] " Greg KH
2010-01-19 23:02     ` [stable] " Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100114224807.227254692@mini.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).