tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

sys_pipe(): fix file descriptor leaks

Remember to close the files if copy_to_user() failed.

Spotted by dm.n9107@gmail.com.

Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Cc: DM <dm.n9107@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Ulrich Drepper and committed by
Linus Torvalds ba719bae c1236d31

+13 -3
+4 -1
arch/cris/kernel/sys_cris.c
··· 40 40 error = do_pipe(fd); 41 41 unlock_kernel(); 42 42 if (!error) { 43 - if (copy_to_user(fildes, fd, 2*sizeof(int))) 43 + if (copy_to_user(fildes, fd, 2*sizeof(int))) { 44 + sys_close(fd[0]); 45 + sys_close(fd[1]); 44 46 error = -EFAULT; 47 + } 45 48 } 46 49 return error; 47 50 }
+4 -1
arch/m32r/kernel/sys_m32r.c
··· 90 90 91 91 error = do_pipe(fd); 92 92 if (!error) { 93 - if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) 93 + if (copy_to_user((void __user *)r0, fd, 2*sizeof(int))) { 94 + sys_close(fd[0]); 95 + sys_close(fd[1]); 94 96 error = -EFAULT; 97 + } 95 98 } 96 99 return error; 97 100 }
+5 -1
fs/pipe.c
··· 17 17 #include <linux/highmem.h> 18 18 #include <linux/pagemap.h> 19 19 #include <linux/audit.h> 20 + #include <linux/syscalls.h> 20 21 21 22 #include <asm/uaccess.h> 22 23 #include <asm/ioctls.h> ··· 1087 1086 1088 1087 error = do_pipe(fd); 1089 1088 if (!error) { 1090 - if (copy_to_user(fildes, fd, sizeof(fd))) 1089 + if (copy_to_user(fildes, fd, sizeof(fd))) { 1090 + sys_close(fd[0]); 1091 + sys_close(fd[1]); 1091 1092 error = -EFAULT; 1093 + } 1092 1094 } 1093 1095 return error; 1094 1096 }