diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-23 13:58:47 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-23 13:58:51 -0400 |
commit | 8ae87118fd1257d81b0188ae344f362251f160c0 (patch) | |
tree | 9571595af9ecc13b3cc3292d5d43eb9c5ea47d2d | |
parent | f9e5196949a4c8710dd30b4ca607a435ae0f3c00 (diff) | |
download | longterm-queue-2.6.34-8ae87118fd1257d81b0188ae344f362251f160c0.tar.gz |
xfs prevent leak requires xfs zero proper patch
Thanks to Dan Rosenberg for pointing this out.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/series | 1 | ||||
-rw-r--r-- | queue/xfs-zero-proper-structure-size-for-geometry-calls.patch | 72 |
2 files changed, 73 insertions, 0 deletions
diff --git a/queue/series b/queue/series index 32d7f12..8735b7f 100644 --- a/queue/series +++ b/queue/series @@ -254,6 +254,7 @@ netlink-Make-nlmsg_find_attr-take-a-const-nlmsghdr.patch irda-prevent-integer-underflow-in-IRLMP_ENUMDEVICES.patch CAN-Use-inode-instead-of-kernel-address-for-proc-fil.patch xfs-prevent-leaking-uninitialized-stack-memory-in-FS.patch +xfs-zero-proper-structure-size-for-geometry-calls.patch Bluetooth-sco-fix-information-leak-to-userspace.patch Bluetooth-bnep-fix-buffer-overflow.patch bridge-netfilter-fix-information-leak.patch diff --git a/queue/xfs-zero-proper-structure-size-for-geometry-calls.patch b/queue/xfs-zero-proper-structure-size-for-geometry-calls.patch new file mode 100644 index 0000000..97209f8 --- /dev/null +++ b/queue/xfs-zero-proper-structure-size-for-geometry-calls.patch @@ -0,0 +1,72 @@ +From b9687ebd3d8785c346517f1d29b0978e3154ddc3 Mon Sep 17 00:00:00 2001 +From: Alex Elder <aelder@sgi.com> +Date: Tue, 1 Mar 2011 17:50:00 +0000 +Subject: [PATCH] xfs: zero proper structure size for geometry calls + +commit af24ee9ea8d532e16883251a6684dfa1be8eec29 upstream. + +Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to +xfs_fs_geometry() in order to avoid passing kernel stack data back +to user space: + ++ memset(geo, 0, sizeof(*geo)); + +Unfortunately, one of the callers of that function passes the +address of a smaller data type, cast to fit the type that +xfs_fs_geometry() requires. As a result, this can happen: + +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted +in: f87aca93 + +Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1 +Call Trace: + +[<c12991ac>] ? panic+0x50/0x150 +[<c102ed71>] ? __stack_chk_fail+0x10/0x18 +[<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs] + +Fix this by fixing that one caller to pass the right type and then +copy out the subset it is interested in. + +Note: This patch is an alternative to one originally proposed by +Eric Sandeen. + +Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu> +Signed-off-by: Alex Elder <aelder@sgi.com> +Reviewed-by: Eric Sandeen <sandeen@redhat.com> +Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/xfs/linux-2.6/xfs_ioctl.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c +index c6df36f..8a1e425 100644 +--- a/fs/xfs/linux-2.6/xfs_ioctl.c ++++ b/fs/xfs/linux-2.6/xfs_ioctl.c +@@ -699,14 +699,19 @@ xfs_ioc_fsgeometry_v1( + xfs_mount_t *mp, + void __user *arg) + { +- xfs_fsop_geom_v1_t fsgeo; ++ xfs_fsop_geom_t fsgeo; + int error; + +- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3); ++ error = xfs_fs_geometry(mp, &fsgeo, 3); + if (error) + return -error; + +- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo))) ++ /* ++ * Caller should have passed an argument of type ++ * xfs_fsop_geom_v1_t. This is a proper subset of the ++ * xfs_fsop_geom_t that xfs_fs_geometry() fills in. ++ */ ++ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t))) + return -XFS_ERROR(EFAULT); + return 0; + } +-- +1.7.4.4 + |