Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place.  We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Original message id: <20130110085725.GA23063@elgon.mountain>

This patch hasn't been applied.

> ---
> This is also vulnerable to integer overflows.  It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.

Although it's a security fix, it's not exploitable by a user so it's not
that urgent to get it merged. Nevertheless, I hope you can squeeze it
into 3.12-rc so we can then start pushing it to stable kernels (at least
3.10).

> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
>  	}
>  
>  	if (!access_ok(VERIFY_READ, arg->clone_sources,
> -			sizeof(*arg->clone_sources *
> -			arg->clone_sources_count))) {
> +			sizeof(*arg->clone_sources) *
> +			arg->clone_sources_count)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}

david
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Filesystem Development]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux