1 files changed, 54 insertions, 0 deletions

diff --git a/freed-ora/current/F-12/fix-ima-null-ptr-deref.patch b/freed-ora/current/F-12/fix-ima-null-ptr-deref.patch
new file mode 100644
index 000000000..01515f7b4
--- /dev/null
+++ b/freed-ora/current/F-12/fix-ima-null-ptr-deref.patch
@@ -0,0 +1,54 @@
+From: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Sun, 7 Feb 2010 06:48:55 +0000 (+1100)
+Subject: ima: fix null pointer deref
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjmorris%2Fsecurity-testing-2.6.git;a=commitdiff_plain;h=8bb6795424b09db0eca1cccf7a17b93fc28ac7f7
+
+ima: fix null pointer deref
+
+The commit 6c21a7f "LSM: imbed ima calls in the security hooks"
+which moves the ima_file_free() call within security_file_free()
+brought a problem into pipe.c.
+In the error path of pipe(2), the allocated resources are freed by
+path_put() and put_filp() (in this order). Since security_file_free()
+refers f_dentry and ima_file_free() refers f_dentry->d_inode, path_put()
+should be called after put_filp().
+
+Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
+Signed-off-by: James Morris <jmorris@namei.org>
+---
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 37ba29f..90b543d 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -1004,9 +1004,10 @@ struct file *create_write_pipe(int flags)
+ 
+ void free_write_pipe(struct file *f)
+ {
++	struct path path = f->f_path;
+ 	free_pipe_info(f->f_dentry->d_inode);
+-	path_put(&f->f_path);
+ 	put_filp(f);
++	path_put(&path);
+ }
+ 
+ struct file *create_read_pipe(struct file *wrf, int flags)
+@@ -1028,6 +1029,7 @@ int do_pipe_flags(int *fd, int flags)
+ 	struct file *fw, *fr;
+ 	int error;
+ 	int fdw, fdr;
++	struct path path;
+ 
+ 	if (flags & ~(O_CLOEXEC | O_NONBLOCK))
+ 		return -EINVAL;
+@@ -1061,8 +1063,9 @@ int do_pipe_flags(int *fd, int flags)
+  err_fdr:
+ 	put_unused_fd(fdr);
+  err_read_pipe:
+-	path_put(&fr->f_path);
++	path = fr->f_path;
+ 	put_filp(fr);
++	path_put(&path);
+  err_write_pipe:
+ 	free_write_pipe(fw);
+ 	return error;