Re: CVE-2016-7097 causes acl leak

From: Mark Salyzyn
Date: Mon Dec 12 2016 - 19:26:07 EST


On 12/11/2016 04:34 PM, Cong Wang wrote:
On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote:
Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
an acl leak.

posix_acl_update_mode(inose, &mode, &acl);

. . .

posix_acl_release(acl);


acl is NULLed in posix_acl_update_mode to signal caller to not update the
acl; but because it is nulled, it is never released.
I think you blame the wrong commit, this leak exists before that commit.
Looks like we should just release it before NULL'ing.

diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 5955220..edd862a 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
umode_t *mode_p,
error = posix_acl_equiv_mode(*acl, &mode);
if (error < 0)
return error;
- if (error == 0)
+ if (error == 0) {
+ posix_acl_release(*acl);
*acl = NULL;
+ }
if (!in_group_p(inode->i_gid) &&
!capable_wrt_inode_uidgid(inode, CAP_FSETID))
mode &= ~S_ISGID;

The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.


-- Mark