vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
svn path=/dists/sid/linux/; revision=22398
This commit is contained in:
parent
bda3d7b1ef
commit
dfd470cb06
|
@ -6,6 +6,7 @@ linux (3.16.7-ckt4-4) UNRELEASED; urgency=medium
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* shm: add memfd.h to UAPI export list, so kdbus will build
|
* shm: add memfd.h to UAPI export list, so kdbus will build
|
||||||
* [x86] HPET force enable for e6xx based systems (Closes: #772951)
|
* [x86] HPET force enable for e6xx based systems (Closes: #772951)
|
||||||
|
* vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
|
||||||
|
|
||||||
-- Ian Campbell <ijc@debian.org> Mon, 09 Feb 2015 06:17:31 +0000
|
-- Ian Campbell <ijc@debian.org> Mon, 09 Feb 2015 06:17:31 +0000
|
||||||
|
|
||||||
|
|
37
debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
vendored
Normal file
37
debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
vendored
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
From: Sasha Levin <sasha.levin@oracle.com>
|
||||||
|
Subject: vfs: read file_handle only once in handle_to_path
|
||||||
|
Date: Wed, 28 Jan 2015 15:30:43 -0500
|
||||||
|
Origin: http://article.gmane.org/gmane.linux.file-systems/92438
|
||||||
|
|
||||||
|
We used to read file_handle twice. Once to get the amount of extra bytes, and
|
||||||
|
once to fetch the entire structure.
|
||||||
|
|
||||||
|
This may be problematic since we do size verifications only after the first
|
||||||
|
read, so if the number of extra bytes changes in userspace between the first
|
||||||
|
and second calls, we'll have an incoherent view of file_handle.
|
||||||
|
|
||||||
|
Instead, read the constant size once, and copy that over to the final
|
||||||
|
structure without having to re-read it again.
|
||||||
|
|
||||||
|
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||||
|
---
|
||||||
|
Change in v2:
|
||||||
|
- Use the f_handle pointer rather than size of struct
|
||||||
|
|
||||||
|
fs/fhandle.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/fs/fhandle.c
|
||||||
|
+++ b/fs/fhandle.c
|
||||||
|
@@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd
|
||||||
|
goto out_err;
|
||||||
|
}
|
||||||
|
/* copy the full handle */
|
||||||
|
- if (copy_from_user(handle, ufh,
|
||||||
|
- sizeof(struct file_handle) +
|
||||||
|
+ *handle = f_handle;
|
||||||
|
+ if (copy_from_user(&handle->f_handle,
|
||||||
|
+ &ufh->f_handle,
|
||||||
|
f_handle.handle_bytes)) {
|
||||||
|
retval = -EFAULT;
|
||||||
|
goto out_handle;
|
|
@ -503,3 +503,4 @@ bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no.patch
|
||||||
bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-.patch
|
bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-.patch
|
||||||
features/all/kdbus/shm-add-memfd.h-to-uapi-export-list.patch
|
features/all/kdbus/shm-add-memfd.h-to-uapi-export-list.patch
|
||||||
bugfix/x86/x86-hpet-force-enable-for-e6xx-based-systems.patch
|
bugfix/x86/x86-hpet-force-enable-for-e6xx-based-systems.patch
|
||||||
|
bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
|
||||||
|
|
Loading…
Reference in New Issue