David Sterba
2013-Oct-21 12:30 UTC
Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:> The closing parenthesis is in the wrong place. We want to check > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of > "sizeof(*arg->clone_sources * arg->clone_sources_count)". > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>Original message id: <20130110085725.GA23063@elgon.mountain> This patch hasn''t been applied.> --- > This is also vulnerable to integer overflows. It''s only done under > root, but these days we are trying to restrict what root can do without > configuring Secure Boot in UEFI.Although it''s a security fix, it''s not exploitable by a user so it''s not that urgent to get it merged. Nevertheless, I hope you can squeeze it into 3.12-rc so we can then start pushing it to stable kernels (at least 3.10).> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c > index 5445454..4be3832 100644 > --- a/fs/btrfs/send.c > +++ b/fs/btrfs/send.c > @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_) > } > > if (!access_ok(VERIFY_READ, arg->clone_sources, > - sizeof(*arg->clone_sources * > - arg->clone_sources_count))) { > + sizeof(*arg->clone_sources) * > + arg->clone_sources_count)) { > ret = -EFAULT; > goto out; > }david -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
David Sterba
2013-Nov-18 10:57 UTC
Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
On Mon, Oct 21, 2013 at 02:30:05PM +0200, David Sterba wrote:> On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote: > > The closing parenthesis is in the wrong place. We want to check > > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of > > "sizeof(*arg->clone_sources * arg->clone_sources_count)". > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Original message id: <20130110085725.GA23063@elgon.mountain> > > This patch hasn''t been applied.Please add this patch to btrfs-next. david -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Reasonably Related Threads
- [PATCH] Btrfs: fix typo in send.c
- [PATCH] Btrfs-progs: add send option for using new end-cmd semantic
- [PATCH] btrfs: add "no file data" flag to btrfs send ioctl
- [nut-commits] svn commit r1866 - in trunk: . drivers man
- [PATCH 0/3] Send: minor cleanups, add RO checks