ee12595147
This code calls fd_install() which gives the userspace access to the fd.
Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but
that will not release it and leads to a stale entry in the file
descriptor table.
Generally you can't trust the fd after a call to fd_install(). The fix
is to delay the fd_install() until everything else has succeeded.
Fortunately it requires CAP_SYS_ADMIN to reach this code so the security
impact is less.
Fixes:
|
||
---|---|---|
.. | ||
dnotify | ||
fanotify | ||
inotify | ||
Kconfig | ||
Makefile | ||
fdinfo.c | ||
fdinfo.h | ||
fsnotify.c | ||
fsnotify.h | ||
group.c | ||
mark.c | ||
notification.c |