Re: CVE-2016-7097 causes acl leak
From: Jan Kara
Date: Tue Dec 13 2016 - 06:17:40 EST
On Mon 12-12-16 16:26:00, Mark Salyzyn wrote:
> On 12/11/2016 04:34 PM, Cong Wang wrote:
> >On Mon, Dec 5, 2016 at 9:16 AM, Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote:
> >>Commit 073931017b49d9458aa351605b43a7e34598caef has several occurrences of
> >>an acl leak.
> >>
> >>posix_acl_update_mode(inose, &mode, &acl);
> >>
> >>. . .
> >>
> >>posix_acl_release(acl);
> >>
> >>
> >>acl is NULLed in posix_acl_update_mode to signal caller to not update the
> >>acl; but because it is nulled, it is never released.
> >I think you blame the wrong commit, this leak exists before that commit.
> >Looks like we should just release it before NULL'ing.
> >
> >diff --git a/fs/posix_acl.c b/fs/posix_acl.c
> >index 5955220..edd862a 100644
> >--- a/fs/posix_acl.c
> >+++ b/fs/posix_acl.c
> >@@ -648,8 +648,10 @@ int posix_acl_update_mode(struct inode *inode,
> >umode_t *mode_p,
> > error = posix_acl_equiv_mode(*acl, &mode);
> > if (error < 0)
> > return error;
> >- if (error == 0)
> >+ if (error == 0) {
> >+ posix_acl_release(*acl);
> > *acl = NULL;
> >+ }
> > if (!in_group_p(inode->i_gid) &&
> > !capable_wrt_inode_uidgid(inode, CAP_FSETID))
> > mode &= ~S_ISGID;
>
> The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
So I agree 9p leaks acl reference (and it was buggy even before my commit).
GFS2, JFS, and XFS seem to be OK as far as I can tell.
Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR