500904 – renaming file on a share w/o write permissions causes oops

Bug 500904 - renaming file on a share w/o write permissions causes oops

Summary: renaming file on a share w/o write permissions causes oops

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jeff Layton
QA Contact:	Petr Beňas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	589293
TreeView+	depends on / blocked

Reported:	2009-05-14 19:51 UTC by Jeff Layton
Modified:	2018-10-27 11:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	500839
Environment:
Last Closed:	2011-02-16 16:04:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0263	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update	2011-02-16 15:14:55 UTC

Description Jeff Layton 2009-05-14 19:51:29 UTC

+++ This bug was initially created as a clone of Bug #500839 +++

This bug was reported upstream, but RHEL4 is also vulnerable. If you mount a share to which you do not have write permissions an then try to rename a file, the kernel will oops.

Comment 1 RHEL Program Management 2009-06-05 13:47:05 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 Vivek Goyal 2010-10-15 13:28:32 UTC

Committed in 89.44.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 9 Petr Beňas 2010-11-02 14:50:16 UTC

Due to change of CIFS to system error mappings discussed in bug 516102 is this one unverifiable. 

[root@ibm-ls22-01 ~]# mount -t cifs //localhost/bug /mnt/testarea/500904-mnt/ -o username=root,rw
Password: 
[root@ibm-ls22-01 ~]# cd /mnt/testarea/500904-mnt/
[root@ibm-ls22-01 500904-mnt]# mv file1 file2
mv: overwrite `file2'? yes
mv: cannot move `file1' to a subdirectory of itself, `file2'
[root@ibm-ls22-01 500904-mnt]# uname -ri
2.6.9-89.43.EL x86_64

Performed code review and it looks ok, moving to verified then. 

2.6.9-89.44.EL kernel.spec:
2590 Patch13122: linux-2.6.9-cifs-when-renaming-don-t-try-to-unlink-negative--
        dent.patch
5978 %patch13122 -p1


unlink-negative-dent.patch  SOURCES/linux-2.6.9-cifs-when-renaming-don-t-try-to-u
Changelog: cifs: when renaming don't try to unlink negative dentry
Bugzilla: 500904

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1379,7 +1379,8 @@ int cifs_rename(struct inode *source_dir, struct dentry *source_dentry,
                     checking the UniqueId via FILE_INTERNAL_INFO */
 
 unlink_target:
-       if ((rc == -EACCES) || (rc == -EEXIST)) {
+       /* Try unlinking the target dentry if it's not negative */
+       if (target_dentry->d_inode && (rc == -EACCES || rc == -EEXIST)) {
                tmprc = cifs_unlink(target_dir, target_dentry);
                if (tmprc)
                        goto cifs_rename_exit;

Comment 10 errata-xmlrpc 2011-02-16 16:04:31 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html

Note You need to log in before you can comment on or make changes to this bug.