CVE-2015-1420 fhandle race condition (rhbz 1187534 1227417)
This commit is contained in:
parent
aee0909293
commit
ad993ee0be
|
@ -688,6 +688,9 @@ Patch26215: HID-lenovo-set-INPUT_PROP_POINTING_STICK.patch
|
|||
#rhbz 1218882
|
||||
Patch26216: 0001-target-use-vfs_iter_read-write-in-fd_do_rw.patch
|
||||
|
||||
#CVE-2015-1420 rhbz 1187534 1227417
|
||||
Patch26217: vfs-read-file_handle-only-once-in-handle_to_path.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1479,6 +1482,9 @@ ApplyPatch HID-lenovo-set-INPUT_PROP_POINTING_STICK.patch
|
|||
#rhbz 1218882
|
||||
ApplyPatch 0001-target-use-vfs_iter_read-write-in-fd_do_rw.patch
|
||||
|
||||
#CVE-2015-1420 rhbz 1187534 1227417
|
||||
ApplyPatch vfs-read-file_handle-only-once-in-handle_to_path.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2338,6 +2344,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed Jun 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2015-1420 fhandle race condition (rhbz 1187534 1227417)
|
||||
|
||||
* Tue Jun 02 2015 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Fix fd_do_rw error (rhbz 1218882)
|
||||
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From: Sasha Levin <sasha.levin@oracle.com>
|
||||
Date: Wed, 28 Jan 2015 15:30:43 -0500
|
||||
Subject: [PATCH] vfs: read file_handle only once in handle_to_path
|
||||
|
||||
We used to read file_handle twice. Once to get the amount of extra
|
||||
bytes, and once to fetch the entire structure.
|
||||
|
||||
This may be problematic since we do size verifications only after the
|
||||
first read, so if the number of extra bytes changes in userspace between
|
||||
the first and second calls, we'll have an incoherent view of
|
||||
file_handle.
|
||||
|
||||
Instead, read the constant size once, and copy that over to the final
|
||||
structure without having to re-read it again.
|
||||
|
||||
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/fhandle.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/fhandle.c b/fs/fhandle.c
|
||||
index 999ff5c3cab0..d59712dfa3e7 100644
|
||||
--- a/fs/fhandle.c
|
||||
+++ b/fs/fhandle.c
|
||||
@@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
|
||||
goto out_err;
|
||||
}
|
||||
/* copy the full handle */
|
||||
- if (copy_from_user(handle, ufh,
|
||||
- sizeof(struct file_handle) +
|
||||
+ *handle = f_handle;
|
||||
+ if (copy_from_user(&handle->f_handle,
|
||||
+ &ufh->f_handle,
|
||||
f_handle.handle_bytes)) {
|
||||
retval = -EFAULT;
|
||||
goto out_handle;
|
Loading…
Reference in New Issue