From: J. R. Okajima <hooanon05@yahoo.co.jp>
Date: Sun, 7 Feb 2010 06:48:55 +0000 (+1100)
Subject: ima: fix null pointer deref
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjmorris%2Fsecurity-testing-2.6.git;a=commitdiff_plain;h=8bb6795424b09db0eca1cccf7a17b93fc28ac7f7
 
ima: fix null pointer deref
 
The commit 6c21a7f "LSM: imbed ima calls in the security hooks"
which moves the ima_file_free() call within security_file_free()
brought a problem into pipe.c.
In the error path of pipe(2), the allocated resources are freed by
path_put() and put_filp() (in this order). Since security_file_free()
refers f_dentry and ima_file_free() refers f_dentry->d_inode, path_put()
should be called after put_filp().
 
Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
---
 
diff --git a/fs/pipe.c b/fs/pipe.c
index 37ba29f..90b543d 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1004,9 +1004,10 @@ struct file *create_write_pipe(int flags)
 
 void free_write_pipe(struct file *f)
 {
+	struct path path = f->f_path;
 	free_pipe_info(f->f_dentry->d_inode);
-	path_put(&f->f_path);
 	put_filp(f);
+	path_put(&path);
 }
 
 struct file *create_read_pipe(struct file *wrf, int flags)
@@ -1028,6 +1029,7 @@ int do_pipe_flags(int *fd, int flags)
 	struct file *fw, *fr;
 	int error;
 	int fdw, fdr;
+	struct path path;
 
 	if (flags & ~(O_CLOEXEC | O_NONBLOCK))
 		return -EINVAL;
@@ -1061,8 +1063,9 @@ int do_pipe_flags(int *fd, int flags)
  err_fdr:
 	put_unused_fd(fdr);
  err_read_pipe:
-	path_put(&fr->f_path);
+	path = fr->f_path;
 	put_filp(fr);
+	path_put(&path);
  err_write_pipe:
 	free_write_pipe(fw);
 	return error;