* [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
@ 2013-01-10 8:57 Dan Carpenter
2013-01-10 9:21 ` Jeff Liu
2013-10-21 12:30 ` David Sterba
0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2013-01-10 8:57 UTC (permalink / raw)
To: Chris Mason, Alexander Block; +Cc: linux-btrfs, kernel-janitors
The closing parenthesis is in the wrong place. We want to check
"sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
"sizeof(*arg->clone_sources * arg->clone_sources_count)".
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is also vulnerable to integer overflows. It's only done under
root, but these days we are trying to restrict what root can do without
configuring Secure Boot in UEFI.
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 5445454..4be3832 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
}
if (!access_ok(VERIFY_READ, arg->clone_sources,
- sizeof(*arg->clone_sources *
- arg->clone_sources_count))) {
+ sizeof(*arg->clone_sources) *
+ arg->clone_sources_count)) {
ret = -EFAULT;
goto out;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
2013-01-10 8:57 [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send() Dan Carpenter
@ 2013-01-10 9:21 ` Jeff Liu
2013-10-21 12:30 ` David Sterba
1 sibling, 0 replies; 4+ messages in thread
From: Jeff Liu @ 2013-01-10 9:21 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Chris Mason, Alexander Block, linux-btrfs, kernel-janitors
On 01/10/2013 04:57 PM, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place. We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is also vulnerable to integer overflows. It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.
>
> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
> }
>
> if (!access_ok(VERIFY_READ, arg->clone_sources,
> - sizeof(*arg->clone_sources *
> - arg->clone_sources_count))) {
> + sizeof(*arg->clone_sources) *
> + arg->clone_sources_count)) {
> ret = -EFAULT;
> goto out;
> }
Reviewed-by: Jie Liu <jeff.liu@oracle.com>
Thanks,
-Jeff
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
2013-01-10 8:57 [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send() Dan Carpenter
2013-01-10 9:21 ` Jeff Liu
@ 2013-10-21 12:30 ` David Sterba
2013-11-18 10:57 ` David Sterba
1 sibling, 1 reply; 4+ messages in thread
From: David Sterba @ 2013-10-21 12:30 UTC (permalink / raw)
To: Chris Mason
Cc: Dan Carpenter, Alexander Block, linux-btrfs, kernel-janitors,
jbacik
On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> The closing parenthesis is in the wrong place. We want to check
> "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> "sizeof(*arg->clone_sources * arg->clone_sources_count)".
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Original message id: <20130110085725.GA23063@elgon.mountain>
This patch hasn't been applied.
> ---
> This is also vulnerable to integer overflows. It's only done under
> root, but these days we are trying to restrict what root can do without
> configuring Secure Boot in UEFI.
Although it's a security fix, it's not exploitable by a user so it's not
that urgent to get it merged. Nevertheless, I hope you can squeeze it
into 3.12-rc so we can then start pushing it to stable kernels (at least
3.10).
> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index 5445454..4be3832 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_)
> }
>
> if (!access_ok(VERIFY_READ, arg->clone_sources,
> - sizeof(*arg->clone_sources *
> - arg->clone_sources_count))) {
> + sizeof(*arg->clone_sources) *
> + arg->clone_sources_count)) {
> ret = -EFAULT;
> goto out;
> }
david
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send()
2013-10-21 12:30 ` David Sterba
@ 2013-11-18 10:57 ` David Sterba
0 siblings, 0 replies; 4+ messages in thread
From: David Sterba @ 2013-11-18 10:57 UTC (permalink / raw)
To: jbacik, Dan Carpenter, linux-btrfs, kernel-janitors
On Mon, Oct 21, 2013 at 02:30:05PM +0200, David Sterba wrote:
> On Thu, Jan 10, 2013 at 11:57:25AM +0300, Dan Carpenter wrote:
> > The closing parenthesis is in the wrong place. We want to check
> > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of
> > "sizeof(*arg->clone_sources * arg->clone_sources_count)".
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Original message id: <20130110085725.GA23063@elgon.mountain>
>
> This patch hasn't been applied.
Please add this patch to btrfs-next.
david
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-11-18 10:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-10 8:57 [patch] Btrfs: fix access_ok() check in btrfs_ioctl_send() Dan Carpenter
2013-01-10 9:21 ` Jeff Liu
2013-10-21 12:30 ` David Sterba
2013-11-18 10:57 ` David Sterba
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox