epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)
svn path=/dists/sid/linux/; revision=19253
This commit is contained in:
parent
6edd9fa52a
commit
01d775979f
|
@ -33,6 +33,7 @@ linux (3.2.23-1) UNRELEASED; urgency=low
|
||||||
* linux-image: Remove versioned relations where stable version is new enough
|
* linux-image: Remove versioned relations where stable version is new enough
|
||||||
* udf: Improve table length check to avoid possible overflow
|
* udf: Improve table length check to avoid possible overflow
|
||||||
* CIFS: Respect negotiated MaxMpxCount (deferred from 3.2.14)
|
* CIFS: Respect negotiated MaxMpxCount (deferred from 3.2.14)
|
||||||
|
* epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 29 Jun 2012 15:01:22 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Fri, 29 Jun 2012 15:01:22 +0100
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
From: Jason Baron <jbaron@redhat.com>
|
||||||
|
Date: Wed, 25 Apr 2012 16:01:47 -0700
|
||||||
|
Subject: epoll: clear the tfile_check_list on -ELOOP
|
||||||
|
|
||||||
|
commit 13d518074a952d33d47c428419693f63389547e9 upstream.
|
||||||
|
|
||||||
|
An epoll_ctl(,EPOLL_CTL_ADD,,) operation can return '-ELOOP' to prevent
|
||||||
|
circular epoll dependencies from being created. However, in that case we
|
||||||
|
do not properly clear the 'tfile_check_list'. Thus, add a call to
|
||||||
|
clear_tfile_check_list() for the -ELOOP case.
|
||||||
|
|
||||||
|
Signed-off-by: Jason Baron <jbaron@redhat.com>
|
||||||
|
Reported-by: Yurij M. Plotnikov <Yurij.Plotnikov@oktetlabs.ru>
|
||||||
|
Cc: Nelson Elhage <nelhage@nelhage.com>
|
||||||
|
Cc: Davide Libenzi <davidel@xmailserver.org>
|
||||||
|
Tested-by: Alexandra N. Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
---
|
||||||
|
fs/eventpoll.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
|
||||||
|
index 739b098..c0b3c70 100644
|
||||||
|
--- a/fs/eventpoll.c
|
||||||
|
+++ b/fs/eventpoll.c
|
||||||
|
@@ -1663,8 +1663,10 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
|
||||||
|
if (op == EPOLL_CTL_ADD) {
|
||||||
|
if (is_file_epoll(tfile)) {
|
||||||
|
error = -ELOOP;
|
||||||
|
- if (ep_loop_check(ep, tfile) != 0)
|
||||||
|
+ if (ep_loop_check(ep, tfile) != 0) {
|
||||||
|
+ clear_tfile_check_list();
|
||||||
|
goto error_tgt_fput;
|
||||||
|
+ }
|
||||||
|
} else
|
||||||
|
list_add(&tfile->f_tfile_llink, &tfile_check_list);
|
||||||
|
}
|
|
@ -367,3 +367,4 @@ debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch
|
||||||
|
|
||||||
bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch
|
bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch
|
||||||
bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
|
bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
|
||||||
|
bugfix/all/epoll-clear-the-tfile_check_list-on-eloop.patch
|
||||||
|
|
Loading…
Reference in New Issue