Public bug reported:
Binary package hint: linux-image-2.6.20-16-generic
Running feisty, 2.6.20-16-generic, but this problem remains in the
latest feisty and gutsy trees in git.
Found via code inspection that structure "sub_info" is dereferenced
after kfree() in finish_usermodehelper_pipe() in kernel/kmod.c:
int finish_usermodehelper_pipe(struct subprocess_info *sub_info)
{
wait_for_completion(sub_info->complete);
kfree(sub_info->complete);
kfree(sub_info);
return sub_info->retval;
}
This could result in an unwanted fault or a bad return value going back
to the caller. I believe the fix is:
$ diff -u kmod.c.orig kmod.c.fix
--- kmod.c.orig 2007-04-12 12:16:23.000000000 -0500
+++ kmod.c.fix 2007-08-12 18:00:07.000000000 -0500
@@ -338,11 +338,13 @@
int finish_usermodehelper_pipe(struct subprocess_info *sub_info)
{
+ int retval;
wait_for_completion(sub_info->complete);
+ retval = sub_info->retval;
kfree(sub_info->complete);
kfree(sub_info);
- return sub_info->retval;
+ return retval;
}
EXPORT_SYMBOL(finish_usermodehelper_pipe);
** Affects: linux-source-2.6.20 (Ubuntu)
Importance: Undecided
Status: New
--
sub_info dereferenced after free in finish_usermodehelper_pipe
https://bugs.launchpad.net/bugs/132089
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
