FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2025-01-11 20:07:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

xfs: fix type confusion in xfs_ioc_swapext

Browse Source 
Without this check, the following XFS_I invocations would return bad
pointers when used on non-XFS inodes (perhaps pointers into preceding
allocator chunks).

This could be used by an attacker to trick xfs_swap_extents into
performing locking operations on attacker-chosen structures in kernel
memory, potentially leading to code execution in the kernel.  (I have
not investigated how likely this is to be usable for an attack in
practice.)

Signed-off-by: Jann Horn <jann@thejh.net>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Jann Horn 2015-09-11 21:39:33 +02:00 committed by Linus Torvalds
parent aa93d1fee8
commit 3e0a396546
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fs/xfs/xfs_ioctl.c
View File

@ -1575,6 +1575,12 @@ xfs_ioc_swapext(
goto out_put_tmp_file; goto out_put_tmp_file;
} }
if (f.file->f_op != &xfs_file_operations ||
tmp.file->f_op != &xfs_file_operations) {
error = -EINVAL;
goto out_put_tmp_file;
}
ip = XFS_I(file_inode(f.file)); ip = XFS_I(file_inode(f.file));
tip = XFS_I(file_inode(tmp.file)); tip = XFS_I(file_inode(tmp.file));