| 1 |
Candidate: CVE-2005-3356
|
| 2 |
References:
|
| 3 |
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6h+p=12dbf3fc4d06d2c0c4c44dc0612df04248b3cfd3
|
| 4 |
Description:
|
| 5 |
[PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open
|
| 6 |
.
|
| 7 |
Fixed the refcounting on failure exits in sys_mq_open() and
|
| 8 |
cleaned the logics up. Rules are actually pretty simple - dentry_open()
|
| 9 |
expects vfsmount and dentry to be pinned down and it either transfers
|
| 10 |
them into created struct file or drops them. Old code had been very
|
| 11 |
confused in that area - if dentry_open() had failed either in do_open()
|
| 12 |
or do_create(), we ended up dentry and mqueue_mnt dropped twice, once
|
| 13 |
by dentry_open() cleanup and then by sys_mq_open().
|
| 14 |
.
|
| 15 |
Fix consists of making the rules for do_create() and do_open()
|
| 16 |
same as for dentry_open() and updating the sys_mq_open() accordingly;
|
| 17 |
that actually leads to more straightforward code and less work on
|
| 18 |
normal path.
|
| 19 |
.
|
| 20 |
Signed-off-by: Al Viro <aviro@redhat.com>
|
| 21 |
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
| 22 |
Notes:
|
| 23 |
jmm> Discovered by Doug Chapman
|
| 24 |
Bugs:
|
| 25 |
upstream: released (2.6.15.2)
|
| 26 |
linux-2.6: released (2.6.15-4)
|
| 27 |
2.6.8-sarge-security: released (2.6.8-16sarge2)
|
| 28 |
2.4.27-sarge-security: N/A
|
| 29 |
2.4.19-woody-security: N/A
|
| 30 |
2.4.18-woody-security: N/A
|
| 31 |
2.4.17-woody-security: N/A
|
| 32 |
2.4.16-woody-security: N/A
|
| 33 |
2.4.17-woody-security-hppa: N/A
|
| 34 |
2.4.17-woody-security-ia64: N/A
|
Parent Directory
| 
Revision Log