| From d337b66a4c52c7b04eec661d86c2ef6e168965a2 Mon Sep 17 00:00:00 2001 |
| From: Jan Harkes <jaharkes@cs.cmu.edu> |
| Date: Wed, 27 Sep 2017 15:52:12 -0400 |
| Subject: coda: fix 'kernel memory exposure attempt' in fsync |
| |
| From: Jan Harkes <jaharkes@cs.cmu.edu> |
| |
| commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream. |
| |
| When an application called fsync on a file in Coda a small request with |
| just the file identifier was allocated, but the declared length was set |
| to the size of union of all possible upcall requests. |
| |
| This bug has been around for a very long time and is now caught by the |
| extra checking in usercopy that was introduced in Linux-4.8. |
| |
| The exposure happens when the Coda cache manager process reads the fsync |
| upcall request at which point it is killed. As a result there is nobody |
| servicing any further upcalls, trapping any processes that try to access |
| the mounted Coda filesystem. |
| |
| Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu> |
| Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/coda/upcall.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| --- a/fs/coda/upcall.c |
| +++ b/fs/coda/upcall.c |
| @@ -447,8 +447,7 @@ int venus_fsync(struct super_block *sb, |
| UPARG(CODA_FSYNC); |
| |
| inp->coda_fsync.VFid = *fid; |
| - error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs), |
| - &outsize, inp); |
| + error = coda_upcall(coda_vcp(sb), insize, &outsize, inp); |
| |
| CODA_FREE(inp, insize); |
| return error; |