Commit ad3c43bb authored by Eric Sandeen's avatar Eric Sandeen Committed by Adrian Bunk

hfs_fill_super returns success even if no root inode (CVE-2006-6056)

http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html

mount that image...
fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  mounting read-only.
hfs: get root inode failed.
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
 printing eip
...
EIP is at superblock_doinit+0x21/0x767
...
 [] selinux_sb_kern_mount+0xc/0x4b
 [] vfs_kern_mount+0x99/0xf6
 [] do_kern_mount+0x2d/0x3e
 [] do_mount+0x5fa/0x66d
 [] sys_mount+0x77/0xae
 [] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb

hfs_fill_super() returns success even if
  root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
or
  sb->s_root = d_alloc_root(root_inode);

fails.  This superblock finds its way to superblock_doinit() which does:

        struct dentry *root = sb->s_root;
        struct inode *inode = root->d_inode;

and boom.  Need to make sure the error cases return an error, I think.

[akpm@osdl.org: return -ENOMEM on oom]
Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
parent 6a4121f6
...@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent) ...@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
hfs_find_exit(&fd); hfs_find_exit(&fd);
goto bail_no_root; goto bail_no_root;
} }
res = -EINVAL;
root_inode = hfs_iget(sb, &fd.search_key->cat, &rec); root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
hfs_find_exit(&fd); hfs_find_exit(&fd);
if (!root_inode) if (!root_inode)
goto bail_no_root; goto bail_no_root;
res = -ENOMEM;
sb->s_root = d_alloc_root(root_inode); sb->s_root = d_alloc_root(root_inode);
if (!sb->s_root) if (!sb->s_root)
goto bail_iput; goto bail_iput;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment