From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Sachin Prabhu <sprabhu@redhat.com>,
Jian Li <jiali@redhat.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>
Subject: [ 46/47] Avoid beyond bounds copy while caching ACL
Date: Fri, 18 May 2012 14:27:35 -0700 [thread overview]
Message-ID: <20120518212653.363629474@linuxfoundation.org> (raw)
In-Reply-To: <20120518212701.GA5023@kroah.com>
3.3-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit 5794d21ef4639f0e33440927bb903f9598c21e92 upstream.
When attempting to cache ACLs returned from the server, if the bitmap
size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
is smaller than a PAGE_SIZE, we can read past the buffer page boundary.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Jian Li <jiali@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4proc.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3532,16 +3532,16 @@ out:
return ret;
}
-static void nfs4_write_cached_acl(struct inode *inode, const char *buf, size_t acl_len)
+static void nfs4_write_cached_acl(struct inode *inode, struct page **pages, size_t pgbase, size_t acl_len)
{
struct nfs4_cached_acl *acl;
- if (buf && acl_len <= PAGE_SIZE) {
+ if (pages && acl_len <= PAGE_SIZE) {
acl = kmalloc(sizeof(*acl) + acl_len, GFP_KERNEL);
if (acl == NULL)
goto out;
acl->cached = 1;
- memcpy(acl->data, buf, acl_len);
+ _copy_from_pages(acl->data, pages, pgbase, acl_len);
} else {
acl = kmalloc(sizeof(*acl), GFP_KERNEL);
if (acl == NULL)
@@ -3574,7 +3574,6 @@ static ssize_t __nfs4_get_acl_uncached(s
struct nfs_getaclres res = {
.acl_len = buflen,
};
- void *resp_buf;
struct rpc_message msg = {
.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_GETACL],
.rpc_argp = &args,
@@ -3605,7 +3604,6 @@ static ssize_t __nfs4_get_acl_uncached(s
* the page we send as a guess */
if (buf == NULL)
res.acl_flags |= NFS4_ACL_LEN_REQUEST;
- resp_buf = page_address(pages[0]);
dprintk("%s buf %p buflen %zu npages %d args.acl_len %zu\n",
__func__, buf, buflen, npages, args.acl_len);
@@ -3616,9 +3614,9 @@ static ssize_t __nfs4_get_acl_uncached(s
acl_len = res.acl_len - res.acl_data_offset;
if (acl_len > args.acl_len)
- nfs4_write_cached_acl(inode, NULL, acl_len);
+ nfs4_write_cached_acl(inode, NULL, 0, acl_len);
else
- nfs4_write_cached_acl(inode, resp_buf + res.acl_data_offset,
+ nfs4_write_cached_acl(inode, pages, res.acl_data_offset,
acl_len);
if (buf) {
ret = -ERANGE;
next prev parent reply other threads:[~2012-05-18 21:27 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-18 21:27 [ 00/47] 3.3.7-stable review Greg KH
2012-05-18 21:26 ` [ 01/47] ALSA: echoaudio: Remove incorrect part of assertion Greg KH
2012-05-18 21:26 ` [ 02/47] ALSA: HDA: Lessen CPU usage when waiting for chip to respond Greg KH
2012-05-18 21:26 ` [ 03/47] ALSA: hda/realtek - Add missing CD-input pin for MSI-7350 mobo Greg KH
2012-05-18 21:26 ` [ 04/47] ALSA: hda/idt - Fix power-map for speaker-pins with some HP laptops Greg KH
2012-05-18 21:26 ` [ 05/47] usbnet: fix skb traversing races during unlink(v2) Greg KH
2012-05-18 21:26 ` [ 06/47] namespaces, pid_ns: fix leakage on fork() failure Greg KH
2012-05-18 21:26 ` [ 07/47] sparc64: Do not clobber %g2 in xcall_fetch_glob_regs() Greg KH
2012-05-18 21:26 ` [ 08/47] media: marvell-cam: fix an ARM build error Greg KH
2012-05-18 21:26 ` [ 09/47] ARM: 7417/1: vfp: ensure preemption is disabled when enabling VFP access Greg KH
2012-05-18 21:26 ` [ 10/47] ARM: prevent VM_GROWSDOWN mmaps extending below FIRST_USER_ADDRESS Greg KH
2012-05-18 21:27 ` [ 11/47] media: s5p-fimc: Fix locking in subdev set_crop op Greg KH
2012-05-18 21:27 ` [ 12/47] media: rc: Postpone ISR registration Greg KH
2012-05-18 21:27 ` [ 13/47] media: dvb_frontend: fix a regression with DVB-S zig-zag Greg KH
2012-05-18 21:27 ` [ 14/47] ASoC: cs42l73: Sync digital mixer kcontrols to allow for 0dB Greg KH
2012-05-18 21:27 ` [ 15/47] ASoC: wm8994: Fix AIF2ADC power down Greg KH
2012-05-18 21:27 ` [ 16/47] cdc_ether: Ignore bogus union descriptor for RNDIS devices Greg KH
2012-05-18 21:27 ` [ 17/47] cdc_ether: add Novatel USB551L device IDs for FLAG_WWAN Greg KH
2012-05-18 21:27 ` [ 18/47] percpu: pcpu_embed_first_chunk() should free unused parts after all allocs are complete Greg KH
2012-05-18 21:27 ` [ 19/47] kmemleak: Fix the kmemleak tracking of the percpu areas with !SMP Greg KH
2012-05-18 21:27 ` [ 20/47] mtd: fix oops in dataflash driver Greg KH
2012-05-18 21:27 ` [ 21/47] hugetlb: prevent BUG_ON in hugetlb_fault() -> hugetlb_cow() Greg KH
2012-05-18 21:27 ` [ 22/47] mm: nobootmem: fix sign extend problem in __free_pages_memory() Greg KH
2012-05-18 21:27 ` [ 23/47] jffs2: Fix lock acquisition order bug in gc path Greg KH
2012-05-18 21:27 ` [ 24/47] arch/tile: apply commit 74fca9da0 to the compat signal handling as well Greg KH
2012-05-18 21:27 ` [ 25/47] crypto: mv_cesa requires on CRYPTO_HASH to build Greg KH
2012-05-18 21:27 ` [ 26/47] target: Drop incorrect se_lun_acl release for dynamic -> explict ACL conversion Greg KH
2012-05-18 21:27 ` [ 27/47] target: Fix SPC-2 RELEASE bug for multi-session iSCSI client setups Greg KH
2012-05-18 21:27 ` [ 28/47] target: Fix bug in handling of FILEIO + block_device resize ops Greg KH
2012-05-18 21:27 ` [ 29/47] virtio: console: tell host of open ports after resume from s3/s4 Greg KH
2012-05-18 21:27 ` [ 30/47] dm mpath: check if scsi_dh module already loaded before trying to load Greg KH
2012-05-18 21:27 ` [ 31/47] e1000: Prevent reset task killing itself Greg KH
2012-05-18 21:27 ` [ 32/47] MD: Add del_timer_sync to mddev_suspend (fix nasty panic) Greg KH
2012-05-18 21:27 ` [ 33/47] tcp: do_tcp_sendpages() must try to push data out on oom conditions Greg KH
2012-05-18 21:27 ` [ 34/47] init: dont try mounting device as nfs root unless type fully matches Greg KH
2012-05-18 21:27 ` [ 35/47] ext4: avoid deadlock on sync-mounted FS w/o journal Greg KH
2012-05-18 21:27 ` [ 36/47] memcg: free spare array to avoid memory leak Greg KH
2012-05-18 21:27 ` [ 37/47] cifs: fix revalidation test in cifs_llseek() Greg KH
2012-05-18 21:27 ` [ 38/47] compat: Fix RT signal mask corruption via sigprocmask Greg KH
2012-05-18 21:27 ` [ 39/47] dl2k: Clean up rio_ioctl Greg KH
2012-05-18 21:27 ` [ 40/47] OMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4 Greg KH
2012-05-18 21:27 ` [ 41/47] i2c-eg20t: change timeout value 50msec to 1000msec Greg KH
2012-05-18 21:27 ` [ 42/47] spi-topcliff-pch: Modify pci-bus number dynamically to get DMA device info Greg KH
2012-05-18 21:27 ` [ 43/47] spi-topcliff-pch: Fix issue for transmitting over 4KByte Greg KH
2012-05-18 21:27 ` [ 44/47] spi-topcliff-pch: supports a spi mode setup and bit order setup by IO control Greg KH
2012-05-18 21:27 ` [ 45/47] spi-topcliff-pch: add recovery processing in case wait-event timeout Greg KH
2012-05-18 21:27 ` Greg KH [this message]
2012-05-18 21:27 ` [ 47/47] Avoid reading past buffer when calling GETACL Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120518212653.363629474@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jiali@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sprabhu@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).