Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45525b26 authored by Al Viro's avatar Al Viro
Browse files

fix a leak in replace_fd() users 



replace_fd() began with "eats a reference, tries to insert into
descriptor table" semantics; at some point I'd switched it to
much saner current behaviour ("try to insert into descriptor
table, grabbing a new reference if inserted; caller should do
fput() in any case"), but forgot to update the callers.
Mea culpa...

[Spotted by Pavel Roskin, who has really weird system with pipe-fed
coredumps as part of what he considers a normal boot ;-)]

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent dd8e8c4a

fs/coredump.c

+3 −2
Original line number Diff line number Diff line
@@ -450,11 +450,12 @@ static int umh_pipe_setup(struct subprocess_info *info, struct cred *new) 


	cp->file = files[1];



	replace_fd(0, files[0], 0);

	err = replace_fd(0, files[0], 0);

	fput(files[0]);

	/* and disallow core files too */

	current->signal->rlim[RLIMIT_CORE] = (struct rlimit){1, 1};



	return 0;

	return err;

}



void do_coredump(siginfo_t *siginfo, struct pt_regs *regs)

security/selinux/hooks.c

+7 −11
Original line number Diff line number Diff line
@@ -2132,18 +2132,14 @@ static inline void flush_unauthorized_files(const struct cred *cred, 
		return;



	devnull = dentry_open(&selinux_null, O_RDWR, cred);

	if (!IS_ERR(devnull)) {

	if (IS_ERR(devnull))

		devnull = NULL;

	/* replace all the matching ones with this */

	do {

			replace_fd(n - 1, get_file(devnull), 0);

		replace_fd(n - 1, devnull, 0);

	} while ((n = iterate_fd(files, n, match_file, cred)) != 0);

	if (devnull)

		fput(devnull);

	} else {

		/* just close all the matching ones */

		do {

			replace_fd(n - 1, NULL, 0);

		} while ((n = iterate_fd(files, n, match_file, cred)) != 0);

	}

}



/*