[PATCH] Lost sockfd_put() in routing_ioctl()

This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on
64bit platforms, bug found by Vasiliy Averin <vvs@sw.ru>.

I believe this is a security issues, since user can fget() file as many
times as he wants to. So file refcounter can be overlapped and first
fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this can be an
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-Off-By: Maxim Giryaev <gem@sw.ru>
Signed-off-by: Chris Wright <chrisw@osdl.org>

diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index 155e612635f1341e1711f2546c638fa6da9dc0c5..e28a74203f3b1ae42896532a1c5e68bfb6e9c6e1 100644 (file)
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
                r = (void *) &r4;
        }
 
-       if (ret)
-               return -EFAULT;
+       if (ret) {
+               ret = -EFAULT;
+               goto out;
+       }
 
        set_fs (KERNEL_DS);
        ret = sys_ioctl (fd, cmd, (unsigned long) r);
        set_fs (old_fs);
 
+out:
        if (mysock)
                sockfd_put(mysock);