commit: 4e78c724d47e2342aa8fde61f6b8536f662f795f From: Tetsuo Handa <[email protected]> Date: Mon, 13 Jun 2011 13:49:11 +0900 Subject: [PATCH] TOMOYO: Fix oops in tomoyo_mount_acl().
In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing mount(NULL, "/", "ext3", 0, NULL) request. Fix this by checking dev_name != NULL before calling kern_path(dev_name). Signed-off-by: Tetsuo Handa <[email protected]> Cc: [email protected] Signed-off-by: James Morris <[email protected]> --- security/tomoyo/mount.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 162a864..9fc2e15 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, } if (need_dev) { /* Get mount point or device file. */ - if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) { + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { error = -ENOENT; goto out; } _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
