[PATCH 3/3] [CVE-2012-2375] [ONEIRIC] [NATTY] Fix length of buffer copied in __nfs4_get_acl_uncached
Brad Figg
brad.figg at canonical.com
Thu May 31 16:28:42 UTC 2012
From: Sachin Prabhu <sprabhu at redhat.com>
CVE-2012-2375
_copy_from_pages() used to copy data from the temporary buffer to the
user passed buffer is passed the wrong size parameter when copying
data. res.acl_len contains both the bitmap and acl lenghts while
acl_len contains the acl length after adjusting for the bitmap size.
Signed-off-by: Sachin Prabhu <sprabhu at redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
Signed-off-by: Brad Figg <brad.figg at canonical.com>
(cherry picked from commit 20e0fa98b751facf9a1101edaefbc19c82616a68)
---
fs/nfs/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 2f8f3bb..ec8acdb 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3609,7 +3609,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
if (acl_len > buflen)
goto out_free;
_copy_from_pages(buf, pages, res.acl_data_offset,
- res.acl_len);
+ acl_len);
}
ret = acl_len;
out_free:
--
1.7.9.5
More information about the kernel-team
mailing list