AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
51788b1bdd
kernel_optimize_test/fs
History
Dan Rosenberg 51788b1bdd btrfs: prevent heap corruption in btrfs_ioctl_space_info() 
Commit bf5fc093c5 refactored
btrfs_ioctl_space_info() and introduced several security issues.

space_args.space_slots is an unsigned 64-bit type controlled by a
possibly unprivileged caller.  The comparison as a signed int type
allows providing values that are treated as negative and cause the
subsequent allocation size calculation to wrap, or be truncated to 0.
By providing a size that's truncated to 0, kmalloc() will return
ZERO_SIZE_PTR.  It's also possible to provide a value smaller than the
slot count.  The subsequent loop ignores the allocation size when
copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.

The fix changes the slot count type and comparison typecast to u64,
which prevents truncation or signedness errors, and also ensures that we
don't copy more data than we've allocated in the subsequent loop.  Note
that zero-size allocations are no longer possible since there is already
an explicit check for space_args.space_slots being 0 and truncation of
this value is no longer an issue.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Josef Bacik <josef@redhat.com>
Reviewed-by: Josef Bacik <josef@redhat.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
2011-02-14 16:04:23 -05:00
..
9p
adfs
affs
afs
autofs
autofs4
befs
bfs
btrfs btrfs: prevent heap corruption in btrfs_ioctl_space_info() 2011-02-14 16:04:23 -05:00
cachefiles
ceph ceph: update issue_seq on cap grant 2010-10-07 08:01:50 -07:00
cifs
coda
configfs
cramfs
debugfs
devpts
dlm
ecryptfs
efs
exofs exofs: Fix double page_unlock BUG in write_begin/end 2010-10-08 11:26:54 -04:00
exportfs
ext2
ext3
ext4
fat
freevxfs
fscache
fuse
gfs2
hfs
hfsplus
hostfs
hpfs
hppfs
hugetlbfs
isofs
jbd
jbd2
jffs2
jfs
lockd
logfs
minix
ncpfs
nfs
nfs_common
nfsd nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink 2010-10-13 15:48:55 -04:00
nilfs2
nls
notify fanotify: disable fanotify syscalls 2010-10-11 18:15:28 -07:00
ntfs
ocfs2
omfs
openpromfs
partitions
proc
qnx4
quota
ramfs
reiserfs
romfs
smbfs
squashfs
sysfs
sysv
ubifs
udf
ufs
xfs xfs: properly account for reclaimed inodes 2010-10-06 22:35:48 -05:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c Don't dump task struct in a.out core-dumps 2010-10-14 10:57:40 -07:00
binfmt_elf_fdpic.c
binfmt_elf.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c
block_dev.c
buffer.c
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
compat.c
dcache.c
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c
exec.c Export dump_{write,seek} to binary loader modules 2010-10-14 19:15:28 -07:00
fcntl.c
fifo.c
file_table.c
file.c
filesystems.c
fs_struct.c
fs-writeback.c Add new functions for triggering inode writeback 2010-10-29 11:25:29 -04:00
generic_acl.c
inode.c
internal.h
ioctl.c
ioprio.c
Kconfig
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c
mpage.c
namei.c
namespace.c
nfsctl.c
no-block.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
read_write.c
read_write.h
readdir.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c
sync.c
timerfd.c
utimes.c
xattr_acl.c
xattr.c