From: Danny Feng <dfeng@redhat.com> Date: Tue, 21 Jul 2009 01:59:09 -0400 Subject: [net] tun/tap: open /dev/net/tun and then poll() it fix Message-id: 20090721055908.18789.81108.sendpatchset@danny O-Subject: [PATCH RHEL5.4] CVE-2009-1897 tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. Bugzilla: 512286 RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com> RH-Acked-by: Eugene Teo <eugene@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: Andy Gospodarek <gospo@redhat.com> RH-Acked-by: Thomas Graf <tgraf@redhat.com> CVE: CVE-2009-1897 RHBZ#512286 https://bugzilla.redhat.com/show_bug.cgi?id=512286 Description: Fix NULL pointer dereference in tun_chr_pool() introduced by commit 388c3049 ("[RHEL5.4 PATCH] tun: Add packet accounting") and triggered by this code: int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); Brew ID: 1898462 KABI: no harm Upstream status: backport of commit 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 Test status: Without the patch, kernel panic with the reproduce program (for root user) on RHEL5.4 (only affect 5.4).Testing on RHEL5.4 x86_64. I confirm this patch fix the kernel panic. Please review and ACK. diff --git a/drivers/net/tun.c b/drivers/net/tun.c index b803dba..785ef15 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -234,12 +234,14 @@ static void tun_net_init(struct net_device *dev) static unsigned int tun_chr_poll(struct file *file, poll_table * wait) { struct tun_struct *tun = file->private_data; - struct sock *sk = tun->sk; + struct sock *sk; unsigned int mask = 0; if (!tun) return -EBADFD; + sk = tun->sk; + DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); poll_wait(file, &tun->read_wait, wait);