From 4e78c724d47e2342aa8fde61f6b8536f662f795f Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 13 Jun 2011 13:49:11 +0900 Subject: [PATCH] TOMOYO: Fix oops in tomoyo_mount_acl(). In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing mount(NULL, "/", "ext3", 0, NULL) request. Fix this by checking dev_name != NULL before calling kern_path(dev_name). Signed-off-by: Tetsuo Handa Cc: stable@kernel.org Signed-off-by: James Morris --- security/tomoyo/mount.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 162a864..9fc2e15 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -138,7 +138,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, } if (need_dev) { /* Get mount point or device file. */ - if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) { + if (!dev_name || kern_path(dev_name, LOOKUP_FOLLOW, &path)) { error = -ENOENT; goto out; } -- 2.7.4