| From 81be3dee96346fbe08c31be5ef74f03f6b63cf68 Mon Sep 17 00:00:00 2001 |
| From: Michal Hocko <mhocko@suse.com> |
| Date: Mon, 8 May 2017 15:57:24 -0700 |
| Subject: [PATCH] fs/xattr.c: zero out memory copied to userspace in getxattr |
| |
| commit 81be3dee96346fbe08c31be5ef74f03f6b63cf68 upstream. |
| |
| getxattr uses vmalloc to allocate memory if kzalloc fails. This is |
| filled by vfs_getxattr and then copied to the userspace. vmalloc, |
| however, doesn't zero out the memory so if the specific implementation |
| of the xattr handler is sloppy we can theoretically expose a kernel |
| memory. There is no real sign this is really the case but let's make |
| sure this will not happen and use vzalloc instead. |
| |
| Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures") |
| Link: http://lkml.kernel.org/r/20170306103327.2766-1-mhocko@kernel.org |
| Acked-by: Kees Cook <keescook@chromium.org> |
| Reported-by: Vlastimil Babka <vbabka@suse.cz> |
| Signed-off-by: Michal Hocko <mhocko@suse.com> |
| Cc: <stable@vger.kernel.org> [3.6+] |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| |
| diff --git a/fs/xattr.c b/fs/xattr.c |
| index 7e3317cf4045..94f49a082dd2 100644 |
| --- a/fs/xattr.c |
| +++ b/fs/xattr.c |
| @@ -530,7 +530,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value, |
| size = XATTR_SIZE_MAX; |
| kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); |
| if (!kvalue) { |
| - kvalue = vmalloc(size); |
| + kvalue = vzalloc(size); |
| if (!kvalue) |
| return -ENOMEM; |
| } |
| -- |
| 2.12.0 |
| |