[PATCH] [SECURITY, 2.4] Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
From: Horms
Date: Fri Oct 28 2005 - 04:43:10 EST
This is CAN-2005-3181, and a backport of
829841146878e082613a49581ae252c071057c23 from Linus's 2.6 tree to 2.4.
Original Description and Sign-Off:
Avoid 'names_cache' memory leak with CONFIG_AUDITSYSCALL
The nameidata "last.name" is always allocated with "__getname()", and
should always be free'd with "__putname()".
Using "putname()" without the underscores will leak memory, because the
allocation will have been hidden from the AUDITSYSCALL code.
Arguably the real bug is that the AUDITSYSCALL code is really broken,
but in the meantime this fixes the problem people see.
Reported by Robert Derr, patch by Rick Lindsley.
Acked-by: Al Viro <viro@xxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxx>
My sign off, indicating I think it applies to 2.4:
Signed-off-by: Horms <horms@xxxxxxxxxxxx>
--- from-0001/fs/namei.c
+++ to-work/fs/namei.c 2005-10-11 18:23:56.000000000 +0900
@@ -1198,18 +1198,18 @@ do_link:
if (nd->last_type != LAST_NORM)
goto exit;
if (nd->last.name[nd->last.len]) {
- putname(nd->last.name);
+ __putname(nd->last.name);
goto exit;
}
error = -ELOOP;
if (count++==32) {
- putname(nd->last.name);
+ __putname(nd->last.name);
goto exit;
}
dir = nd->dentry;
down(&dir->d_inode->i_sem);
dentry = lookup_hash(&nd->last, nd->dentry);
- putname(nd->last.name);
+ __putname(nd->last.name);
goto do_last;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/