From ba719baeabbff5476eeb91c223e6921ba29e1490 Mon Sep 17 00:00:00 2001 From: Ulrich Drepper <drepper@redhat.com> Date: Tue, 6 May 2008 20:42:38 -0700 Subject: [PATCH] sys_pipe(): fix file descriptor leaks Remember to close the files if copy_to_user() failed. Spotted by dm.n9107@gmail.com. Signed-off-by: Ulrich Drepper <drepper@redhat.com> Cc: DM <dm.n9107@gmail.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- arch/cris/kernel/sys_cris.c | 5 ++++- arch/m32r/kernel/sys_m32r.c | 5 ++++- fs/pipe.c | 6 +++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/arch/cris/kernel/sys_cris.c b/arch/cris/kernel/sys_cris.c index 8b9984197edc..d124066e1728 100644 --- a/arch/cris/kernel/sys_cris.c +++ b/arch/cris/kernel/sys_cris.c @@ -40,8 +40,11 @@ asmlinkage int sys_pipe(unsigned long __user * fildes) error = do_pipe(fd); unlock_kernel(); if (!error) { - if (copy_to_user(fildes, fd, 2*sizeof(int))) + if (copy_to_user(fildes, fd, 2*sizeof(int))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } diff --git a/arch/m32r/kernel/sys_m32r.c b/arch/m32r/kernel/sys_m32r.c index 6d7a80fdad48..319c79720b8a 100644 --- a/arch/m32r/kernel/sys_m32r.c +++ b/arch/m32r/kernel/sys_m32r.c @@ -90,8 +90,11 @@ sys_pipe(unsigned long r0, unsigned long r1, unsigned long r2, error = do_pipe(fd); if (!error) { - if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) + if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } diff --git a/fs/pipe.c b/fs/pipe.c index 3499f9ff6316..ec228bc9f882 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -17,6 +17,7 @@ #include <linux/highmem.h> #include <linux/pagemap.h> #include <linux/audit.h> +#include <linux/syscalls.h> #include <asm/uaccess.h> #include <asm/ioctls.h> @@ -1086,8 +1087,11 @@ asmlinkage long __weak sys_pipe(int __user *fildes) error = do_pipe(fd); if (!error) { - if (copy_to_user(fildes, fd, sizeof(fd))) + if (copy_to_user(fildes, fd, sizeof(fd))) { + sys_close(fd[0]); + sys_close(fd[1]); error = -EFAULT; + } } return error; } -- GitLab