nfs_remount(): don't leak, don't ignore LSM options quietly

mainline inclusion from mainline-v5.0-rc1 commit 6a0440e5 category: bugfix bugzilla: NA CVE: NA -------------------------------- * if mount(2) passes something like "context=foo" with MS_REMOUNT in flags (/sbin/mount.nfs will _not_ do that - you need to issue the syscall manually), you'll get leaked copies for LSM options. The reason is that instead of nfs_{alloc,free}_parsed_mount_data() nfs_remount() uses kzalloc/kfree, which lacks the needed cleanup. * selinux options are not changed on remount (as for any other fs), but in case of NFS the failure is quiet - they are not compared to what we used to have, with complaint in case of attempted changes. Trivially fixed by converting to use of security_sb_remount(). Reviewed-by: N David Howells <dhowells@redhat.com> Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Conflict: fs/nfs/super.c Signed-off-by: N Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

nfs_remount(): don't leak, don't ignore LSM options quietly
mainline inclusion from mainline-v5.0-rc1 commit 6a0440e5 category: bugfix bugzilla: NA CVE: NA -------------------------------- * if mount(2) passes something like "context=foo" with MS_REMOUNT in flags (/sbin/mount.nfs will _not_ do that - you need to issue the syscall manually), you'll get leaked copies for LSM options. The reason is that instead of nfs_{alloc,free}_parsed_mount_data() nfs_remount() uses kzalloc/kfree, which lacks the needed cleanup. * selinux options are not changed on remount (as for any other fs), but in case of NFS the failure is quiet - they are not compared to what we used to have, with complaint in case of attempted changes. Trivially fixed by converting to use of security_sb_remount(). Reviewed-by: N David Howells <dhowells@redhat.com> Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Conflict: fs/nfs/super.c Signed-off-by: N Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
212ca2b7 · Al Viro · Yang Yingliang · 5d4ad757 · 212ca2b7
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

fs/nfs/super.c fs/nfs/super.c +2 -2

未找到文件。
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2272,7 +2272,7 @@ nfs_remount(struct super_block *sb, int *flags, char *raw_data)
 					   options->version <= 6))))
 		return 0;

-	data = kzalloc(sizeof(*data), GFP_KERNEL);
+	data = nfs_alloc_parsed_mount_data();
 	if (data == NULL)
 		return -ENOMEM;

@@ -2312,7 +2312,7 @@ nfs_remount(struct super_block *sb, int *flags, char *raw_data)
 	/* compare new mount options with old ones */
 	error = nfs_compare_remount_data(nfss, data);
 out:
-	kfree(data);
+	nfs_free_parsed_mount_data(data);
 	return error;
 }
 EXPORT_SYMBOL_GPL(nfs_remount);