Re: CVE-2016-7097 causes acl leak

From: Cong Wang
Date: Sun Dec 11 2016 - 19:34:57 EST


On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote:
> Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
> an acl leak.
>
> posix_acl_update_mode(inose, &mode, &acl);
>
> . . .
>
> posix_acl_release(acl);
>
>
> acl is NULLed in posix_acl_update_mode to signal caller to not update the
> acl; but because it is nulled, it is never released.

I think you blame the wrong commit, this leak exists before that commit.
Looks like we should just release it before NULL'ing.

diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 5955220..edd862a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
umode_t *mode_p,
error = posix_acl_equiv_mode(*acl, &mode);
if (error < 0)
return error;
- if (error == 0)
+ if (error == 0) {
+ posix_acl_release(*acl);
*acl = NULL;
+ }
if (!in_group_p(inode->i_gid) &&
!capable_wrt_inode_uidgid(inode, CAP_FSETID))
mode &= ~S_ISGID;