| From a122eb2fdfd78b58c6dd992d6f4b1aaef667eef9 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| Date: Mon, 6 Sep 2010 18:24:57 -0400 |
| Subject: xfs: prevent reading uninitialized stack memory |
| |
| From: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| |
| commit a122eb2fdfd78b58c6dd992d6f4b1aaef667eef9 upstream. |
| |
| The XFS_IOC_FSGETXATTR ioctl allows unprivileged users to read 12 |
| bytes of uninitialized stack memory, because the fsxattr struct |
| declared on the stack in xfs_ioc_fsgetxattr() does not alter (or zero) |
| the 12-byte fsx_pad member before copying it back to the user. This |
| patch takes care of it. |
| |
| Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| Reviewed-by: Eric Sandeen <sandeen@redhat.com> |
| Signed-off-by: Alex Elder <aelder@sgi.com> |
| Cc: dann frazier <dannf@debian.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/xfs/linux-2.6/xfs_ioctl.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/fs/xfs/linux-2.6/xfs_ioctl.c |
| +++ b/fs/xfs/linux-2.6/xfs_ioctl.c |
| @@ -789,6 +789,8 @@ xfs_ioc_fsgetxattr( |
| { |
| struct fsxattr fa; |
| |
| + memset(&fa, 0, sizeof(struct fsxattr)); |
| + |
| xfs_ilock(ip, XFS_ILOCK_SHARED); |
| fa.fsx_xflags = xfs_ip2xflags(ip); |
| fa.fsx_extsize = ip->i_d.di_extsize << ip->i_mount->m_sb.sb_blocklog; |
