[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

+ xfs-underflow-bug-in-xfs_attrlist_by_handle.patch added to -mm tree

Subject: + xfs-underflow-bug-in-xfs_attrlist_by_handle.patch added to -mm tree
To: dan.carpenter@xxxxxxxxxx,bpm@xxxxxxx,dchinner@xxxxxxxxxx,elder@xxxxxxxxxx,fabs@xxxxxxxxx,nico@xxxxxxxxx
From: akpm@xxxxxxxxxxxxxxxxxxxx
Date: Tue, 05 Nov 2013 13:51:23 -0800

The patch titled
     Subject: xfs: underflow bug in xfs_attrlist_by_handle()
has been added to the -mm tree.  Its filename is

This patch should soon appear at
and later at

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: xfs: underflow bug in xfs_attrlist_by_handle()

If we allocate less than sizeof(struct attrlist) then we end up corrupting
memory or doing a ZERO_PTR_SIZE dereference.

This can only be triggered with CAP_SYS_ADMIN.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reported-by: Nico Golde <nico@xxxxxxxxx>
Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
Cc: Ben Myers <bpm@xxxxxxx>
Cc: Alex Elder <elder@xxxxxxxxxx>
Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>

 fs/xfs/xfs_ioctl.c   |    3 ++-
 fs/xfs/xfs_ioctl32.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff -puN fs/xfs/xfs_ioctl.c~xfs-underflow-bug-in-xfs_attrlist_by_handle fs/xfs/xfs_ioctl.c
--- a/fs/xfs/xfs_ioctl.c~xfs-underflow-bug-in-xfs_attrlist_by_handle
+++ a/fs/xfs/xfs_ioctl.c
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
 		return -XFS_ERROR(EPERM);
 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
 		return -XFS_ERROR(EFAULT);
-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
 		return -XFS_ERROR(EINVAL);
diff -puN fs/xfs/xfs_ioctl32.c~xfs-underflow-bug-in-xfs_attrlist_by_handle fs/xfs/xfs_ioctl32.c
--- a/fs/xfs/xfs_ioctl32.c~xfs-underflow-bug-in-xfs_attrlist_by_handle
+++ a/fs/xfs/xfs_ioctl32.c
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
 	if (copy_from_user(&al_hreq, arg,
 		return -XFS_ERROR(EFAULT);
-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
 		return -XFS_ERROR(EINVAL);

Patches currently in -mm which might be from dan.carpenter@xxxxxxxxxx are


To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Newbies FAQ]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Linux Resources]

Add to Google Powered by Linux