diff options
author | Jan Kara <jack@suse.cz> | 2014-01-29 00:38:06 +0400 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2014-01-29 16:57:17 +0400 |
commit | 85816794240b9659e66e4d9b0df7c6e814e5f603 (patch) | |
tree | dd9a5103e62f15e74b2d7729e972d141845462aa /fs/notify/fanotify/fanotify.c | |
parent | 83c0e1b442b488571f4fef4a91c2fe52eed6c705 (diff) | |
download | linux-85816794240b9659e66e4d9b0df7c6e814e5f603.tar.xz |
fanotify: Fix use after free for permission events
Currently struct fanotify_event_info has been destroyed immediately
after reporting its contents to userspace. However that is wrong for
permission events because those need to stay around until userspace
provides response which is filled back in fanotify_event_info. So change
to code to free permission events only after we have got the response
from userspace.
Reported-and-tested-by: Jiri Kosina <jkosina@suse.cz>
Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/notify/fanotify/fanotify.c')
-rw-r--r-- | fs/notify/fanotify/fanotify.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index c7e5e8f54748..0e792f5e3147 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -192,14 +192,17 @@ static int fanotify_handle_event(struct fsnotify_group *group, ret = fsnotify_add_notify_event(group, fsn_event, fanotify_merge); if (ret) { + BUG_ON(mask & FAN_ALL_PERM_EVENTS); /* Our event wasn't used in the end. Free it. */ fsnotify_destroy_event(group, fsn_event); ret = 0; } #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS - if (mask & FAN_ALL_PERM_EVENTS) + if (mask & FAN_ALL_PERM_EVENTS) { ret = fanotify_get_response_from_access(group, event); + fsnotify_destroy_event(group, fsn_event); + } #endif return ret; } |