From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Sachin Prabhu <sprabhu@redhat.com>,
Jian Li <jiali@redhat.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>
Subject: [ 46/47] Avoid beyond bounds copy while caching ACL
Date: Fri, 18 May 2012 14:27:35 -0700 [thread overview]
Message-ID: <20120518212653.363629474@linuxfoundation.org> (raw)
In-Reply-To: <20120518212701.GA5023@kroah.com>
3.3-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit 5794d21ef4639f0e33440927bb903f9598c21e92 upstream.
When attempting to cache ACLs returned from the server, if the bitmap
size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
is smaller than a PAGE_SIZE, we can read past the buffer page boundary.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4proc.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3532,16 +3532,16 @@ out:
return ret;
}
-static void nfs4_write_cached_acl(struct inode *inode, const char *buf, size_t acl_len)
+static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)
{
struct nfs4_cached_acl *acl;
- if (buf && acl_len <= PAGE_SIZE) {
+ if (pages && acl_len <= PAGE_SIZE) {
acl = kmalloc(sizeof(*acl) + acl_len, GFP_KERNEL);
if (acl == NULL)
goto out;
acl->cached = 1;
- memcpy(acl->data, buf, acl_len);
+ _copy_from_pages(acl->data, pages, pgbase, acl_len);
} else {
acl = kmalloc(sizeof(*acl), GFP_KERNEL);
if (acl == NULL)
@@ -3574,7 +3574,6 @@ static ssize_t __nfs4_get_acl_uncached(s
struct nfs_getaclres res = {
.acl_len = buflen,
};
- void *resp_buf;
struct rpc_message msg = {
.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL],
.rpc_argp = &args,
@@ -3605,7 +3604,6 @@ static ssize_t __nfs4_get_acl_uncached(s
* the page we send as a guess */
if (buf == NULL)
res.acl_flags |= NFS4_ACL_LEN_REQUEST;
- resp_buf = page_address(pages[0]);
dprintk("%s buf %p buflen %zu npages %d args.acl_len %zu\n",
__func__, buf, buflen, npages, args.acl_len);
@@ -3616,9 +3614,9 @@ static ssize_t __nfs4_get_acl_uncached(s
acl_len = res.acl_len - res.acl_data_offset;
if (acl_len > args.acl_len)
- nfs4_write_cached_acl(inode, NULL, acl_len);
+ nfs4_write_cached_acl(inode, NULL, 0, acl_len);
else
- nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
+ nfs4_write_cached_acl(inode, pages, res.acl_data_offset,
acl_len);
if (buf) {
ret = -ERANGE;
next prev parent reply other threads:[~2012-05-18 23:08 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 21:27 [ 00/47] 3.3.7-stable review Greg KH
2012-05-18 21:26 ` [ 01/47] ALSA: echoaudio: Remove incorrect part of assertion Greg KH
2012-05-18 21:26 ` [ 02/47] ALSA: HDA: Lessen CPU usage when waiting for chip to respond Greg KH
2012-05-18 21:26 ` [ 03/47] ALSA: hda/realtek - Add missing CD-input pin for MSI-7350 mobo Greg KH
2012-05-18 21:26 ` [ 04/47] ALSA: hda/idt - Fix power-map for speaker-pins with some HP laptops Greg KH
2012-05-18 21:26 ` [ 05/47] usbnet: fix skb traversing races during unlink(v2) Greg KH
2012-05-18 21:26 ` [ 06/47] namespaces, pid_ns: fix leakage on fork() failure Greg KH
2012-05-18 21:26 ` [ 07/47] sparc64: Do not clobber %g2 in xcall_fetch_glob_regs() Greg KH
2012-05-18 21:26 ` [ 08/47] media: marvell-cam: fix an ARM build error Greg KH
2012-05-18 21:26 ` [ 09/47] ARM: 7417/1: vfp: ensure preemption is disabled when enabling VFP access Greg KH
2012-05-18 21:26 ` [ 10/47] ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS Greg KH
2012-05-18 21:27 ` [ 11/47] media: s5p-fimc: Fix locking in subdev set_crop op Greg KH
2012-05-18 21:27 ` [ 12/47] media: rc: Postpone ISR registration Greg KH
2012-05-18 21:27 ` [ 13/47] media: dvb_frontend: fix a regression with DVB-S zig-zag Greg KH
2012-05-18 21:27 ` [ 14/47] ASoC: cs42l73: Sync digital mixer kcontrols to allow for 0dB Greg KH
2012-05-18 21:27 ` [ 15/47] ASoC: wm8994: Fix AIF2ADC power down Greg KH
2012-05-18 21:27 ` [ 16/47] cdc_ether: Ignore bogus union descriptor for RNDIS devices Greg KH
2012-05-18 21:27 ` [ 17/47] cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN Greg KH
2012-05-18 21:27 ` [ 18/47] percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete Greg KH
2012-05-18 21:27 ` [ 19/47] kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP Greg KH
2012-05-18 21:27 ` [ 20/47] mtd: fix oops in dataflash driver Greg KH
2012-05-18 21:27 ` [ 21/47] hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() Greg KH
2012-05-18 21:27 ` [ 22/47] mm: nobootmem: fix sign extend problem in __free_pages_memory() Greg KH
2012-05-18 21:27 ` [ 23/47] jffs2: Fix lock acquisition order bug in gc path Greg KH
2012-05-18 21:27 ` [ 24/47] arch/tile: apply commit 74fca9da0 to the compat signal handling as well Greg KH
2012-05-18 21:27 ` [ 25/47] crypto: mv_cesa requires on CRYPTO_HASH to build Greg KH
2012-05-18 21:27 ` [ 26/47] target: Drop incorrect se_lun_acl release for dynamic -> explict ACL conversion Greg KH
2012-05-18 21:27 ` [ 27/47] target: Fix SPC-2 RELEASE bug for multi-session iSCSI client setups Greg KH
2012-05-18 21:27 ` [ 28/47] target: Fix bug in handling of FILEIO + block_device resize ops Greg KH
2012-05-18 21:27 ` [ 29/47] virtio: console: tell host of open ports after resume from s3/s4 Greg KH
2012-05-18 21:27 ` [ 30/47] dm mpath: check if scsi_dh module already loaded before trying to load Greg KH
2012-05-18 21:27 ` [ 31/47] e1000: Prevent reset task killing itself Greg KH
2012-05-18 21:27 ` [ 32/47] MD: Add del_timer_sync to mddev_suspend (fix nasty panic) Greg KH
2012-05-18 21:27 ` [ 33/47] tcp: do_tcp_sendpages() must try to push data out on oom conditions Greg KH
2012-05-18 21:27 ` [ 34/47] init: dont try mounting device as nfs root unless type fully matches Greg KH
2012-05-18 21:27 ` [ 35/47] ext4: avoid deadlock on sync-mounted FS w/o journal Greg KH
2012-05-18 21:27 ` [ 36/47] memcg: free spare array to avoid memory leak Greg KH
2012-05-18 21:27 ` [ 37/47] cifs: fix revalidation test in cifs_llseek() Greg KH
2012-05-18 21:27 ` [ 38/47] compat: Fix RT signal mask corruption via sigprocmask Greg KH
2012-05-18 21:27 ` [ 39/47] dl2k: Clean up rio_ioctl Greg KH
2012-05-18 21:27 ` [ 40/47] OMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4 Greg KH
2012-05-18 21:27 ` [ 41/47] i2c-eg20t: change timeout value 50msec to 1000msec Greg KH
2012-05-18 21:27 ` [ 42/47] spi-topcliff-pch: Modify pci-bus number dynamically to get DMA device info Greg KH
2012-05-18 21:27 ` [ 43/47] spi-topcliff-pch: Fix issue for transmitting over 4KByte Greg KH
2012-05-18 21:27 ` [ 44/47] spi-topcliff-pch: supports a spi mode setup and bit order setup by IO control Greg KH
2012-05-18 21:27 ` [ 45/47] spi-topcliff-pch: add recovery processing in case wait-event timeout Greg KH
2012-05-18 21:27 ` Greg KH [this message]
2012-05-18 21:27 ` [ 47/47] Avoid reading past buffer when calling GETACL Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120518212653.363629474@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jiali@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sprabhu@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.