| From 7d3e91a89b7adbc2831334def9e494dd9892f9af Mon Sep 17 00:00:00 2001 |
| From: Sven Wegener <sven.wegener@stealer.net> |
| Date: Sat, 8 Dec 2012 15:30:18 +0100 |
| Subject: NFSv4: Check for buffer length in __nfs4_get_acl_uncached |
| |
| From: Sven Wegener <sven.wegener@stealer.net> |
| |
| commit 7d3e91a89b7adbc2831334def9e494dd9892f9af upstream. |
| |
| Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in |
| __nfs4_get_acl_uncached" accidently dropped the checking for too small |
| result buffer length. |
| |
| If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount |
| supporting ACLs, the ACL has not been cached and the buffer suplied is |
| too short, we still copy the complete ACL, resulting in kernel and user |
| space memory corruption. |
| |
| Signed-off-by: Sven Wegener <sven.wegener@stealer.net> |
| Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/nfs/nfs4proc.c | 7 ++++++- |
| 1 file changed, 6 insertions(+), 1 deletion(-) |
| |
| --- a/fs/nfs/nfs4proc.c |
| +++ b/fs/nfs/nfs4proc.c |
| @@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(s |
| goto out_free; |
| } |
| nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len); |
| - if (buf) |
| + if (buf) { |
| + if (res.acl_len > buflen) { |
| + ret = -ERANGE; |
| + goto out_free; |
| + } |
| _copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len); |
| + } |
| out_ok: |
| ret = res.acl_len; |
| out_free: |