2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------ From: Al Viro <[email protected]> We end up trying to kfree() nd.last.name on open("/mnt/tmp", O_CREAT) if /mnt/tmp is an autofs direct mount. The reason is that nd.last_type is bogus here; we want LAST_BIND for everything of that kind and we get LAST_NORM left over from finding parent directory. So make sure that it *is* set properly; set to LAST_BIND before doing ->follow_link() - for normal symlinks it will be changed by __vfs_follow_link() and everything else needs it set that way. Signed-off-by: Al Viro <[email protected]> (cherry picked from commit 86acdca1b63e6890540fa19495cfc708beff3d8b) [wt: fixes CVE-2014-0203] Signed-off-by: Willy Tarreau <[email protected]> --- fs/namei.c | 1 + fs/proc/base.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index b0afbd4..0d766d2 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -635,6 +635,7 @@ static __always_inline int __do_follow_link(struct path *path, struct nameidata dget(dentry); } mntget(path->mnt); + nd->last_type = LAST_BIND; cookie = dentry->d_inode->i_op->follow_link(dentry, nd); error = PTR_ERR(cookie); if (!IS_ERR(cookie)) { diff --git a/fs/proc/base.c b/fs/proc/base.c index 67f7dc0..c75c5cd 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1381,7 +1381,6 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) goto out; error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); - nd->last_type = LAST_BIND; out: return ERR_PTR(error); } -- 1.7.12.2.21.g234cd45.dirty -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
