Ubuntu
linux package

aufs calls security_path_mknod with a wrong parameter

Bug #724456 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
John Johansen

Bug Description

The security_path_mknod() call expects the 'dev' argument to be in encoded form instead of its decode dev conversion. However aufs is calling it with a 'dev' parameter that has already been converted with new_decode_dev().

as can be seen from fs/namei.c security_path_mknod is called correctly, and vfs_mknod is called with new_decode_dev(dev)
2016 error = security_path_mknod(&nd.path, dentry, mode, dev);
2017 if (error)
2018 goto out_drop_write;
2019 switch (mode& S_IFMT) {
2020 case 0: case S_IFREG:
2021 error = vfs_create(nd.path.dentry->d_inode,dentry,mode,&nd);
2022 break;
2023 case S_IFCHR: case S_IFBLK:
2024 error = vfs_mknod(nd.path.dentry->d_inode,dentry,mode,
2025 new_decode_dev(dev));

But aufs's vfsub_mknod() (called from add_simple() from aufs_mknod() from
vfs_mknod()) is calling security_path_mknod().

  266 int vfsub_mknod(struct inode *dir, struct path *path, int mode, dev_t dev)
  267 {
  268 int err;
  269 struct dentry *d;
  270
  271 IMustLock(dir);
  272
  273 d = path->dentry;
  274 path->dentry = d->d_parent;
  275 err = security_path_mknod(path, d, mode, dev);
  276 path->dentry = d;
  277 if (unlikely(err))
  278 goto out;
  279
  280 err = vfs_mknod(dir, path->dentry, mode, dev);

In vfsub_mknod(), 'dev' was already converted by 'new_decode_dev(dev)'
but the LSM and the TOMOYO security module is expecting 'dev' rather than 'new_decode_dev(dev)'.

With Natty kernel, TOMOYO will check new_decode_dev(new_decode_dev(dev)) (which is wrong) when invoked via the security_path_mknod() call from aufs.

Tags: kernel-key
John Johansen (jjohansen)
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Andy Whitcroft (apw)
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: New → Fix Committed
tags: added: kernel-key
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-6.33

---------------
linux (2.6.38-6.33) natty; urgency=low

  [ Andy Whitcroft ]

  * d-i -- enable speakup-modules udeb
    - LP: #672699
  * rebase to 493f3358cb289ccf716c5a14fa5bb52ab75943e5
  * [Config] debian PPC64 configuration
  * [Config] cleanup powerpc config fixing unexpected inconsistancies
  * [Config] resync ppc64 configuration
  * SAUCE: match up ENTRY/END naming for 32/64 bit
  * rebase to fb62c00a6d8942775abc23d1621db1252e2d93d1
  * [Config] update configs after rebase to
    fb62c00a6d8942775abc23d1621db1252e2d93d1
  * [Config] pps_gen_parport no longer built

  [ Corentin Chary ]

  * SAUCE: (drop after 2.6.38) eeepc-wmi: reorder keymap
    - LP: #689393
  * SAUCE: (drop after 2.6.38) eeepc-wmi: add wlan key found on 1015P
    - LP: #689393

  [ John Johansen ]

  * SAUCE: Fix aufs calling of security_path_mknod
    - LP: #724456

  [ Kees Cook ]

  * SAUCE: proc: hide kernel addresses via %pK in /proc/<pid>/stack

  [ Tim Gardner ]

  * rebase to 2.6.38-rc7

  [ Upstream Kernel Changes ]

  * Revert "drm/i915: fix corruptions on i8xx due to relaxed fencing"

  [ Major Kernel Changes ]

  * rebase from v2.6.38-rc6 to v2.6.38-rc7 +
    fb62c00a6d8942775abc23d1621db1252e2d93d1
    - LP: #721389
    - LP: #722925
    - LP: #723672
    - LP: #723676
    - LP: #715318
 -- Andy Whitcroft <email address hidden> Mon, 07 Mar 2011 15:33:17 +0000

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.