Re: [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)
> This patch solves CVE-2007-3104 - sysfs_readdir oops. >... Thanks, I've applied a similar but slightly different fix in 2.6.16.55-rc1. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)
This patch solves CVE-2007-3104 - sysfs_readdir oops. ... Thanks, I've applied a similar but slightly different fix in 2.6.16.55-rc1. cu Adrian -- Is there not promise of rain? Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. Only a promise, Lao Er said. Pearl S. Buck - Dragon Seed - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)
(Adrian should be CCed on things regarding 2.6.16.y kernel) On Sun, 23 Sep 2007, Miloslav Semler wrote: > This patch solves CVE-2007-3104 - sysfs_readdir oops. > More can be found here: > http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commit;h=dc351252b33f8fede396d6173dba117bcb933607 > > Signed-off-by: Miloslav Semler > --- > diff -uprN linux-2.6.16.53/fs/sysfs/dir.c linux-2.6.16.53-new/fs/sysfs/dir.c > --- linux-2.6.16.53/fs/sysfs/dir.c 2007-07-25 23:05:45.0 +0200 > +++ linux-2.6.16.53-new/fs/sysfs/dir.c 2007-09-23 18:18:09.0 +0200 > @@ -29,6 +29,14 @@ static struct dentry_operations sysfs_de >.d_iput = sysfs_d_iput, > }; > > +static unsigned int sysfs_inode_counter; > +ino_t sysfs_get_inum(void) > +{ > + if (unlikely(sysfs_inode_counter < 3)) > + sysfs_inode_counter = 3; > + return sysfs_inode_counter++; > +} > + > /* > * Allocates a new sysfs_dirent and links it to the parent sysfs_dirent > */ > @@ -40,8 +48,10 @@ static struct sysfs_dirent * sysfs_new_d >sd = kmem_cache_alloc(sysfs_dir_cachep, GFP_KERNEL); >if (!sd) >return NULL; > + > >memset(sd, 0, sizeof(*sd)); > + sd->s_ino = sysfs_get_inum(); >atomic_set(>s_count, 1); >INIT_LIST_HEAD(>s_children); >list_add(>s_sibling, _sd->s_children); > @@ -385,7 +395,7 @@ static int sysfs_readdir(struct file * f > >switch (i) { >case 0: > - ino = dentry->d_inode->i_ino; > +ino = parent_sd->s_ino; >if (filldir(dirent, ".", 1, i, ino, DT_DIR) < 0) >break; >filp->f_pos++; > @@ -415,10 +425,7 @@ static int sysfs_readdir(struct file * f > >name = sysfs_get_name(next); >len = strlen(name); > - if (next->s_dentry) > - ino = next->s_dentry->d_inode->i_ino; > - else > - ino = iunique(sysfs_sb, 2); > +ino = next->s_ino; > >if (filldir(dirent, name, len, filp->f_pos, > ino, > dt_type(next)) < 0) > diff -uprN linux-2.6.16.53/fs/sysfs/inode.c > linux-2.6.16.53-new/fs/sysfs/inode.c > --- linux-2.6.16.53/fs/sysfs/inode.c2007-07-25 23:05:45.0 +0200 > +++ linux-2.6.16.53-new/fs/sysfs/inode.c2007-09-23 18:18:09.0 > +0200 > @@ -119,6 +119,7 @@ struct inode * sysfs_new_inode(mode_t mo >inode->i_mapping->a_ops = _aops; >inode->i_mapping->backing_dev_info = > _backing_dev_info; >inode->i_op = _inode_operations; > +inode->i_ino = sd->s_ino; > >if (sd->s_iattr) { >/* sysfs_dirent has non-default attributes > diff -uprN linux-2.6.16.53/fs/sysfs/mount.c > linux-2.6.16.53-new/fs/sysfs/mount.c > --- linux-2.6.16.53/fs/sysfs/mount.c2007-07-25 23:05:45.0 +0200 > +++ linux-2.6.16.53-new/fs/sysfs/mount.c2007-09-23 18:18:09.0 > +0200 > @@ -29,6 +29,7 @@ static struct sysfs_dirent sysfs_root = >.s_element = NULL, >.s_type = SYSFS_ROOT, >.s_iattr= NULL, > +.s_ino = 1, > }; > > static int sysfs_fill_super(struct super_block *sb, void *data, int silent) > diff -uprN linux-2.6.16.53/include/linux/sysfs.h > linux-2.6.16.53-new/include/linux/sysfs.h > --- linux-2.6.16.53/include/linux/sysfs.h 2007-07-25 23:05:45.0 > +0200 > +++ linux-2.6.16.53-new/include/linux/sysfs.h 2007-09-23 18:18:09.0 > +0200 > @@ -72,6 +72,7 @@ struct sysfs_dirent { >void* s_element; >int s_type; >umode_t s_mode; > +ino_t s_ino; >struct dentry * s_dentry; >struct iattr* s_iattr; > }; > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] sysfs: backport of sysfs_readdir fix from 2.6.22.y to 2.6.16.y (CVE-2007-3104)
(Adrian should be CCed on things regarding 2.6.16.y kernel) On Sun, 23 Sep 2007, Miloslav Semler wrote: This patch solves CVE-2007-3104 - sysfs_readdir oops. More can be found here: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commit;h=dc351252b33f8fede396d6173dba117bcb933607 Signed-off-by: Miloslav Semler --- diff -uprN linux-2.6.16.53/fs/sysfs/dir.c linux-2.6.16.53-new/fs/sysfs/dir.c --- linux-2.6.16.53/fs/sysfs/dir.c 2007-07-25 23:05:45.0 +0200 +++ linux-2.6.16.53-new/fs/sysfs/dir.c 2007-09-23 18:18:09.0 +0200 @@ -29,6 +29,14 @@ static struct dentry_operations sysfs_de .d_iput = sysfs_d_iput, }; +static unsigned int sysfs_inode_counter; +ino_t sysfs_get_inum(void) +{ + if (unlikely(sysfs_inode_counter 3)) + sysfs_inode_counter = 3; + return sysfs_inode_counter++; +} + /* * Allocates a new sysfs_dirent and links it to the parent sysfs_dirent */ @@ -40,8 +48,10 @@ static struct sysfs_dirent * sysfs_new_d sd = kmem_cache_alloc(sysfs_dir_cachep, GFP_KERNEL); if (!sd) return NULL; + memset(sd, 0, sizeof(*sd)); + sd-s_ino = sysfs_get_inum(); atomic_set(sd-s_count, 1); INIT_LIST_HEAD(sd-s_children); list_add(sd-s_sibling, parent_sd-s_children); @@ -385,7 +395,7 @@ static int sysfs_readdir(struct file * f switch (i) { case 0: - ino = dentry-d_inode-i_ino; +ino = parent_sd-s_ino; if (filldir(dirent, ., 1, i, ino, DT_DIR) 0) break; filp-f_pos++; @@ -415,10 +425,7 @@ static int sysfs_readdir(struct file * f name = sysfs_get_name(next); len = strlen(name); - if (next-s_dentry) - ino = next-s_dentry-d_inode-i_ino; - else - ino = iunique(sysfs_sb, 2); +ino = next-s_ino; if (filldir(dirent, name, len, filp-f_pos, ino, dt_type(next)) 0) diff -uprN linux-2.6.16.53/fs/sysfs/inode.c linux-2.6.16.53-new/fs/sysfs/inode.c --- linux-2.6.16.53/fs/sysfs/inode.c2007-07-25 23:05:45.0 +0200 +++ linux-2.6.16.53-new/fs/sysfs/inode.c2007-09-23 18:18:09.0 +0200 @@ -119,6 +119,7 @@ struct inode * sysfs_new_inode(mode_t mo inode-i_mapping-a_ops = sysfs_aops; inode-i_mapping-backing_dev_info = sysfs_backing_dev_info; inode-i_op = sysfs_inode_operations; +inode-i_ino = sd-s_ino; if (sd-s_iattr) { /* sysfs_dirent has non-default attributes diff -uprN linux-2.6.16.53/fs/sysfs/mount.c linux-2.6.16.53-new/fs/sysfs/mount.c --- linux-2.6.16.53/fs/sysfs/mount.c2007-07-25 23:05:45.0 +0200 +++ linux-2.6.16.53-new/fs/sysfs/mount.c2007-09-23 18:18:09.0 +0200 @@ -29,6 +29,7 @@ static struct sysfs_dirent sysfs_root = .s_element = NULL, .s_type = SYSFS_ROOT, .s_iattr= NULL, +.s_ino = 1, }; static int sysfs_fill_super(struct super_block *sb, void *data, int silent) diff -uprN linux-2.6.16.53/include/linux/sysfs.h linux-2.6.16.53-new/include/linux/sysfs.h --- linux-2.6.16.53/include/linux/sysfs.h 2007-07-25 23:05:45.0 +0200 +++ linux-2.6.16.53-new/include/linux/sysfs.h 2007-09-23 18:18:09.0 +0200 @@ -72,6 +72,7 @@ struct sysfs_dirent { void* s_element; int s_type; umode_t s_mode; +ino_t s_ino; struct dentry * s_dentry; struct iattr* s_iattr; }; - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/