47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From: Dan Carpenter <dan.carpenter@oracle.com>
|
|
Date: Sat, 23 Nov 2013 15:59:42 +1100
|
|
Subject: xfs: underflow bug in xfs_attrlist_by_handle()
|
|
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
|
|
|
If we allocate less than sizeof(struct attrlist) then we end up corrupting
|
|
memory or doing a ZERO_PTR_SIZE dereference.
|
|
|
|
This can only be triggered with CAP_SYS_ADMIN.
|
|
|
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
Reported-by: Nico Golde <nico@ngolde.de>
|
|
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
|
Acked-by: Ben Myers <bpm@sgi.com>
|
|
Cc: Alex Elder <elder@kernel.org>
|
|
Reviewed-by: Dave Chinner <dchinner@redhat.com>
|
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
---
|
|
fs/xfs/xfs_ioctl.c | 3 ++-
|
|
fs/xfs/xfs_ioctl32.c | 3 ++-
|
|
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
--- a/fs/xfs/xfs_ioctl.c
|
|
+++ b/fs/xfs/xfs_ioctl.c
|
|
@@ -443,7 +443,8 @@ xfs_attrlist_by_handle(
|
|
return -XFS_ERROR(EPERM);
|
|
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
|
|
return -XFS_ERROR(EFAULT);
|
|
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
|
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
|
+ al_hreq.buflen > XATTR_LIST_MAX)
|
|
return -XFS_ERROR(EINVAL);
|
|
|
|
/*
|
|
--- a/fs/xfs/xfs_ioctl32.c
|
|
+++ b/fs/xfs/xfs_ioctl32.c
|
|
@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle(
|
|
if (copy_from_user(&al_hreq, arg,
|
|
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
|
|
return -XFS_ERROR(EFAULT);
|
|
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
|
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
|
+ al_hreq.buflen > XATTR_LIST_MAX)
|
|
return -XFS_ERROR(EINVAL);
|
|
|
|
/*
|