[Devel] [PATCH v2] ext4: release leaked posix acl in ext4_xattr_set_acl

Dmitry Monakhov dmonakhov at openvz.org
Wed Feb 7 18:17:29 MSK 2018 

Stanislav Kinsburskiy <skinsbursky at virtuozzo.com> writes:

> Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
> I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
>
> Posix acl is used to convert of an extended attribute, provided by user to
> ext4 attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
> IOW, this object is allocated, used for convertion, not stored anywhere and
> must be freed.
> However posix_acl_update_mode() can zerofy the pointer to support
> ext4_set_acl() logic, but then the object is leaked.
> So, fix it by releasing new temporary pointer with the same value instead of
> acl pointer.
>
> https://jira.sw.ru/browse/PSBM-81384
>
> RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
>
> v2: Added affected kernel version + RHEL bug URL
ACK.
>
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> ---
>  fs/ext4/acl.c |    8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
> index 917e819..f8a38a2 100644
> --- a/fs/ext4/acl.c
> +++ b/fs/ext4/acl.c
> @@ -403,7 +403,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
>  {
>  	struct inode *inode = dentry->d_inode;
>  	handle_t *handle;
> -	struct posix_acl *acl;
> +	struct posix_acl *acl, *real_acl;
>  	int error, retries = 0;
>  	int update_mode = 0;
>  	umode_t mode = inode->i_mode;
> @@ -416,7 +416,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
>  		return -EPERM;
>  
>  	if (value) {
> -		acl = posix_acl_from_xattr(&init_user_ns, value, size);
> +		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
>  		if (IS_ERR(acl))
>  			return PTR_ERR(acl);
>  		else if (acl) {
> @@ -425,7 +425,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
>  				goto release_and_out;
>  		}
>  	} else
> -		acl = NULL;
> +		acl = real_acl = NULL;
>  
>  retry:
>  	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
> @@ -452,7 +452,7 @@ ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
>  		goto retry;
>  
>  release_and_out:
> -	posix_acl_release(acl);
> +	posix_acl_release(real_acl);
>  	return error;
>  }
>  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/devel/attachments/20180207/aa86c405/attachment-0001.sig>

More information about the Devel mailing list