ACK: [CVE-2015-1420][Precise][Trusty][Utopic][Vivid] vfs: read file_handle only once in handle_to_path
Brad Figg
brad.figg at canonical.com
Thu Jun 4 15:52:58 UTC 2015
On Wed, Jun 03, 2015 at 10:58:22AM +0100, Luis Henriques wrote:
> From: Sasha Levin <sasha.levin at oracle.com>
>
> We used to read file_handle twice. Once to get the amount of extra
> bytes, and once to fetch the entire structure.
>
> This may be problematic since we do size verifications only after the
> first read, so if the number of extra bytes changes in userspace between
> the first and second calls, we'll have an incoherent view of
> file_handle.
>
> Instead, read the constant size once, and copy that over to the final
> structure without having to re-read it again.
>
> Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: stable at vger.kernel.org
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 161f873b89136eb1e69477c847d5a5033239d9ba)
> CVE-2015-1420
> BugLink: https://bugs.launchpad.net/bugs/1416503
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> fs/fhandle.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fhandle.c b/fs/fhandle.c
> index 999ff5c3cab0..d59712dfa3e7 100644
> --- a/fs/fhandle.c
> +++ b/fs/fhandle.c
> @@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
> goto out_err;
> }
> /* copy the full handle */
> - if (copy_from_user(handle, ufh,
> - sizeof(struct file_handle) +
> + *handle = f_handle;
> + if (copy_from_user(&handle->f_handle,
> + &ufh->f_handle,
> f_handle.handle_bytes)) {
> retval = -EFAULT;
> goto out_handle;
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Clean cherry-pick.
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list