This should fix the bug, there were some cases outside
of file locking (bonus points to anyone who can craft
an exploit for the ELF interpreter case :-):
--- ./fs/binfmt_elf.c.~1~ Mon Oct 30 11:34:25 2000
+++ ./fs/binfmt_elf.c Tue Nov 28 03:03:43 2000
@@ -247,7 +247,7 @@
goto out;
if (!elf_check_arch(interp_elf_ex))
goto out;
- if (!interpreter->f_op->mmap)
+ if (!interpreter->f_op || !interpreter->f_op->mmap)
goto out;
/*
@@ -364,7 +364,7 @@
do_brk(0, text_data);
retval = -ENOEXEC;
- if (!interpreter->f_op->read)
+ if (!interpreter->f_op || !interpreter->f_op->read)
goto out;
retval = interpreter->f_op->read(interpreter, addr, text_data, &offset);
if (retval < 0)
@@ -789,7 +789,7 @@
/* First of all, some simple consistency checks */
if (elf_ex.e_type != ET_EXEC || elf_ex.e_phnum > 2 ||
- !elf_check_arch(&elf_ex) || !file->f_op->mmap)
+ !elf_check_arch(&elf_ex) || !file->f_op || !file->f_op->mmap)
goto out;
/* Now read in all of the header information */
--- ./fs/dquot.c.~1~ Fri Nov 17 17:24:03 2000
+++ ./fs/dquot.c Tue Nov 28 03:05:43 2000
@@ -1474,7 +1474,7 @@
if (IS_ERR(f))
goto out_lock;
error = -EIO;
- if (!f->f_op->read && !f->f_op->write)
+ if (!f->f_op || (!f->f_op->read && !f->f_op->write))
goto out_f;
inode = f->f_dentry->d_inode;
error = -EACCES;
--- ./fs/exec.c.~1~ Thu Nov 9 20:44:59 2000
+++ ./fs/exec.c Tue Nov 28 03:15:42 2000
@@ -604,6 +604,8 @@
/* Huh? We had already checked for MAY_EXEC, WTF do we check this? */
if (!(mode & 0111)) /* with at least _one_ execute bit set */
return -EACCES;
+ if (bprm->file->f_op == NULL)
+ return -EACCES;
bprm->e_uid = current->euid;
bprm->e_gid = current->egid;
--- ./fs/locks.c.~1~ Tue Nov 7 21:04:51 2000
+++ ./fs/locks.c Tue Nov 28 03:13:34 2000
@@ -511,7 +511,8 @@
struct file_lock *fl = *thisfl_p;
int (*lock)(struct file *, int, struct file_lock *);
- if ((lock = fl->fl_file->f_op->lock) != NULL) {
+ if (fl->fl_file->f_op &&
+ (lock = fl->fl_file->f_op->lock) != NULL) {
fl->fl_type = F_UNLCK;
lock(fl->fl_file, F_SETLK, fl);
}
@@ -1355,7 +1356,7 @@
if (!flock_to_posix_lock(filp, &file_lock, &flock))
goto out_putf;
- if (filp->f_op->lock) {
+ if (filp->f_op && filp->f_op->lock) {
error = filp->f_op->lock(filp, F_GETLK, &file_lock);
if (error < 0)
goto out_putf;
@@ -1479,7 +1480,7 @@
goto out_putf;
}
- if (filp->f_op->lock != NULL) {
+ if (filp->f_op && filp->f_op->lock != NULL) {
error = filp->f_op->lock(filp, cmd, file_lock);
if (error < 0)
goto out_putf;
@@ -1520,7 +1521,7 @@
if (!flock64_to_posix_lock(filp, &file_lock, &flock))
goto out_putf;
- if (filp->f_op->lock) {
+ if (filp->f_op && filp->f_op->lock) {
error = filp->f_op->lock(filp, F_GETLK, &file_lock);
if (error < 0)
goto out_putf;
@@ -1617,7 +1618,7 @@
goto out_putf;
}
- if (filp->f_op->lock != NULL) {
+ if (filp->f_op && filp->f_op->lock != NULL) {
error = filp->f_op->lock(filp, cmd, file_lock);
if (error < 0)
goto out_putf;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:19 EST