| From 4617f564c06117c7d1b611be49521a4430042287 Mon Sep 17 00:00:00 2001 |
| From: Adrian Salido <salidoa@google.com> |
| Date: Thu, 27 Apr 2017 10:32:55 -0700 |
| Subject: [PATCH] dm ioctl: prevent stack leak in dm ioctl call |
| |
| commit 4617f564c06117c7d1b611be49521a4430042287 upstream. |
| |
| When calling a dm ioctl that doesn't process any data |
| (IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct |
| dm_ioctl are left initialized. Current code is incorrectly extending |
| the size of data copied back to user, causing the contents of kernel |
| stack to be leaked to user. Fix by only copying contents before data |
| and allow the functions processing the ioctl to override. |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Adrian Salido <salidoa@google.com> |
| Reviewed-by: Alasdair G Kergon <agk@redhat.com> |
| Signed-off-by: Mike Snitzer <snitzer@redhat.com> |
| |
| diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c |
| index 0956b8659360..ddda8107aa7e 100644 |
| --- a/drivers/md/dm-ioctl.c |
| +++ b/drivers/md/dm-ioctl.c |
| @@ -1840,7 +1840,7 @@ static int ctl_ioctl(uint command, struct dm_ioctl __user *user) |
| if (r) |
| goto out; |
| |
| - param->data_size = sizeof(*param); |
| + param->data_size = offsetof(struct dm_ioctl, data); |
| r = fn(param, input_param_size); |
| |
| if (unlikely(param->flags & DM_BUFFER_FULL_FLAG) && |
| -- |
| 2.12.0 |
| |