Re: PATCH: fd leak if pipe() is called with an invalid address.
From: Amerigo Wang
Date: Thu Jul 02 2009 - 05:10:22 EST
On Thu, Jul 02, 2009 at 03:21:55PM +0800, Changli Gao wrote:
>fd leak if pipe() is called with an invalid address.
>
>Though -EFAULT is returned, the file descriptors opened by pipe() call
>are left open.
Looks reasonable.
>
>Signed-off-by: Changli Gao <xiaosuo@xxxxxxxxx>
Reviewed-by: WANG Cong <xiyou.wangcong@xxxxxxxxx>
>----
>
> x86/ia32/sys_ia32.c | 5 ++++-
> xtensa/kernel/syscall.c | 5 ++++-
> 2 files changed, 8 insertions(+), 2 deletions(-)
>
>
>--- arch/x86/ia32/sys_ia32.c.orig 2009-07-02 15:08:39.000000000 +0800
>+++ arch/x86/ia32/sys_ia32.c 2009-07-02 15:09:49.000000000 +0800
>@@ -197,8 +197,11 @@
> retval = do_pipe_flags(fds, 0);
> if (retval)
> goto out;
>- if (copy_to_user(fd, fds, sizeof(fds)))
>+ if (copy_to_user(fd, fds, sizeof(fds))) {
>+ sys_close(fd[0]);
>+ sys_close(fd[1]);
> retval = -EFAULT;
>+ }
> out:
> return retval;
> }
>--- arch/xtensa/kernel/syscall.c.orig 2009-07-02 15:09:01.000000000 +0800
>+++ arch/xtensa/kernel/syscall.c 2009-07-02 15:10:15.000000000 +0800
>@@ -51,8 +51,11 @@
>
> error = do_pipe_flags(fd, 0);
> if (!error) {
>- if (copy_to_user(userfds, fd, 2 * sizeof(int)))
>+ if (copy_to_user(userfds, fd, 2 * sizeof(int))) {
>+ sys_close(fd[0]);
>+ sys_close(fd[1]);
> error = -EFAULT;
>+ }
> }
> return error;
> }
>
>--
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@xxxxxxxxxxxxxxx
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/