| From be6324c00c4d1e0e665f03ed1fc18863a88da119 Mon Sep 17 00:00:00 2001 |
| From: "Darrick J. Wong" <darrick.wong@oracle.com> |
| Date: Mon, 3 Apr 2017 15:17:57 -0700 |
| Subject: xfs: fix over-copying of getbmap parameters from userspace |
| |
| From: Darrick J. Wong <darrick.wong@oracle.com> |
| |
| commit be6324c00c4d1e0e665f03ed1fc18863a88da119 upstream. |
| |
| In xfs_ioc_getbmap, we should only copy the fields of struct getbmap |
| from userspace, or else we end up copying random stack contents into the |
| kernel. struct getbmap is a strict subset of getbmapx, so a partial |
| structure copy should work fine. |
| |
| Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> |
| Reviewed-by: Christoph Hellwig <hch@lst.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/xfs/xfs_ioctl.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/fs/xfs/xfs_ioctl.c |
| +++ b/fs/xfs/xfs_ioctl.c |
| @@ -1542,10 +1542,11 @@ xfs_ioc_getbmap( |
| unsigned int cmd, |
| void __user *arg) |
| { |
| - struct getbmapx bmx; |
| + struct getbmapx bmx = { 0 }; |
| int error; |
| |
| - if (copy_from_user(&bmx, arg, sizeof(struct getbmapx))) |
| + /* struct getbmap is a strict subset of struct getbmapx. */ |
| + if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags))) |
| return -EFAULT; |
| |
| if (bmx.bmv_count < 2) |
