2.6.39-stable review patch. If anyone has any objections, please let us know.
------------------ From: Tetsuo Handa <[email protected]> commit 4e78c724d47e2342aa8fde61f6b8536f662f795f upstream. In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing mount(NULL, "/", "ext3", 0, NULL) request. Fix this by checking dev_name != NULL before calling kern_path(dev_name). Signed-off-by: Tetsuo Handa <[email protected]> Signed-off-by: James Morris <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- security/tomoyo/mount.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoy } if (need_dev) { /* Get mount point or device file. */ - if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) { + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { error = -ENOENT; goto out; } _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
