From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 4.1 122/127] staging: lustre: echo_copy.._lsm() dereferences userland pointers directly
Date: Wed, 27 Jan 2016 10:14:46 -0800 [thread overview]
Message-ID: <20160127180811.957945644@linuxfoundation.org> (raw)
In-Reply-To: <20160127180805.624425994@linuxfoundation.org>
4.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit 9225c0b7b976dd9ceac2b80727a60d8fcb906a62 upstream.
missing get_user()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/lustre/lustre/obdecho/echo_client.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/drivers/staging/lustre/lustre/obdecho/echo_client.c
+++ b/drivers/staging/lustre/lustre/obdecho/echo_client.c
@@ -1268,6 +1268,7 @@ static int
echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob)
{
struct lov_stripe_md *ulsm = _ulsm;
+ struct lov_oinfo **p;
int nob, i;
nob = offsetof(struct lov_stripe_md, lsm_oinfo[lsm->lsm_stripe_count]);
@@ -1277,9 +1278,10 @@ echo_copyout_lsm(struct lov_stripe_md *l
if (copy_to_user(ulsm, lsm, sizeof(*ulsm)))
return -EFAULT;
- for (i = 0; i < lsm->lsm_stripe_count; i++) {
- if (copy_to_user(ulsm->lsm_oinfo[i], lsm->lsm_oinfo[i],
- sizeof(lsm->lsm_oinfo[0])))
+ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) {
+ struct lov_oinfo __user *up;
+ if (get_user(up, ulsm->lsm_oinfo + i) ||
+ copy_to_user(up, *p, sizeof(struct lov_oinfo)))
return -EFAULT;
}
return 0;
@@ -1287,9 +1289,10 @@ echo_copyout_lsm(struct lov_stripe_md *l
static int
echo_copyin_lsm(struct echo_device *ed, struct lov_stripe_md *lsm,
- void *ulsm, int ulsm_nob)
+ struct lov_stripe_md __user *ulsm, int ulsm_nob)
{
struct echo_client_obd *ec = ed->ed_ec;
+ struct lov_oinfo **p;
int i;
if (ulsm_nob < sizeof(*lsm))
@@ -1305,11 +1308,10 @@ echo_copyin_lsm(struct echo_device *ed,
return -EINVAL;
- for (i = 0; i < lsm->lsm_stripe_count; i++) {
- if (copy_from_user(lsm->lsm_oinfo[i],
- ((struct lov_stripe_md *)ulsm)-> \
- lsm_oinfo[i],
- sizeof(lsm->lsm_oinfo[0])))
+ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) {
+ struct lov_oinfo __user *up;
+ if (get_user(up, ulsm->lsm_oinfo + i) ||
+ copy_from_user(*p, up, sizeof(struct lov_oinfo)))
return -EFAULT;
}
return 0;
next prev parent reply other threads:[~2016-01-27 19:17 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-27 18:12 [PATCH 4.1 000/127] 4.1.17-stable review Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 001/127] x86/mpx: Fix instruction decoder condition Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 002/127] x86/signal: Fix restart_syscall number for x32 tasks Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 003/127] xen/gntdev: Grant maps should not be subject to NUMA balancing Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 004/127] x86/xen: dont reset vcpu_info on a cancelled suspend Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 006/127] KVM: svm: unconditionally intercept #DB Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 007/127] KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 008/127] KVM: x86: expose MSR_TSC_AUX to userspace Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 009/127] KVM: x86: correctly print #AC in traces Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 010/127] x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 011/127] x86/boot: Double BOOT_HEAP_SIZE to 64KB Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 012/127] x86/mm: Add barriers and document switch_mm()-vs-flush synchronization Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 013/127] x86/mm: Improve switch_mm() barrier comments Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 014/127] ipmi: Start the timer and thread on internal msgs Greg Kroah-Hartman
2016-01-27 18:12 ` [PATCH 4.1 015/127] ipmi: move timer init to before irq is setup Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 016/127] ALSA: hda - Disable 64bit address for Creative HDA controllers Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 017/127] ALSA: hda - Add Intel Lewisburg device IDs Audio Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 018/127] ALSA: hda - Apply pin fixup for HP ProBook 6550b Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 019/127] ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 020/127] ALSA: hda - Apply HP headphone fixups more generically Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 021/127] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 022/127] ALSA: hda - Fix noise on Gigabyte Z170X mobo Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 023/127] ALSA: rme96: Fix unexpected volume reset after rate changes Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 024/127] ALSA: hda - Add inverted dmic for Packard Bell DOTS Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 025/127] ALSA: hda - Fix noise problems on Thinkpad T440s Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 026/127] ALSA: hda - Add a fixup for Thinkpad X1 Carbon 2nd Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 027/127] ALSA: hda - Apply click noise workaround for Thinkpads generically Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 028/127] ALSA: hda - Set codec to D3 at reboot/shutdown on Thinkpads Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 029/127] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 030/127] ALSA: usb-audio: Add sample rate inquiry " Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 031/127] ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 032/127] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 033/127] ALSA: usb: Add native DSD support for Oppo HA-1 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 034/127] ALSA: seq: Fix missing NULL check at remove_events ioctl Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 035/127] ALSA: seq: Fix race at timer setup and close Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 036/127] ALSA: hda - Fix white noise on Dell Latitude E5550 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 037/127] ALSA: usb-audio: Fix mixer ctl regression of Native Instrument devices Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 038/127] ALSA: timer: Harden slave timer list handling Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 039/127] ALSA: hda - fix the headset mic detection problem for a Dell laptop Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 040/127] ALSA: timer: Fix race among timer ioctls Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 041/127] ALSA: timer: Fix double unlink of active_list Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 042/127] ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 043/127] ALSA: pcm: Fix snd_pcm_hw_params struct copy " Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 044/127] ALSA: hrtimer: Fix stall by hrtimer_cancel() Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 045/127] ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 046/127] ALSA: hda - Fix bass pin fixup for ASUS N550JX Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 047/127] ALSA: hda - Flush the pending probe work at remove Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 048/127] ALSA: timer: Handle disconnection more safely Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 049/127] ASoC: rsnd: fixup SCU_SYS_INT_EN1 address Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 050/127] ASoC: wm8962: correct addresses for HPF_C_0/1 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 051/127] ASoC: es8328: Fix deemphasis values Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 052/127] ASoC: wm8974: set cache type for regmap Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 053/127] ASoC: davinci-mcasp: Fix XDATA check in mcasp_start_tx Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 054/127] ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 055/127] ASoC: compress: Fix compress device direction check Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 056/127] usb: xhci: fix config fail of FS hub behind a HS hub with MTT Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 057/127] [media] airspy: increase USB control message buffer size Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 058/127] USB: fix invalid memory access in hub_activate() Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 059/127] USB: ipaq.c: fix a timeout loop Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 060/127] USB: cp210x: add ID for ELV Marble Sound Board 1 Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 061/127] xhci: refuse loading if nousb is used Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 063/127] ipv6/addrlabel: fix ip6addrlbl_get() Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 064/127] addrconf: always initialize sysctl table data Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 066/127] sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 067/127] connector: bump skb->users before callback invocation Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 068/127] unix: properly account for FDs passed over unix sockets Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 069/127] bridge: Only call /sbin/bridge-stp for the initial network namespace Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 070/127] net: filter: make JITs zero A for SKF_AD_ALU_XOR_X Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 071/127] net: sched: fix missing free per cpu on qstats Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 072/127] net: possible use after free in dst_release Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 073/127] vxlan: fix test which detect duplicate vxlan iface Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 074/127] net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory Greg Kroah-Hartman
2016-01-27 18:13 ` [PATCH 4.1 075/127] ipv6: tcp: add rcu locking in tcp_v6_send_synack() Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 076/127] tcp_yeah: dont set ssthresh below 2 Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 077/127] udp: disallow UFO for sockets with SO_NO_CHECK option Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 078/127] net: preserve IP control block during GSO segmentation Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 079/127] bonding: Prevent IPv6 link local address on enslaved devices Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 080/127] phonet: properly unshare skbs in phonet_rcv() Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 081/127] net: bpf: reject invalid shifts Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 082/127] ipv6: update skb->csum when CE mark is propagated Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 083/127] bridge: fix lockdep addr_list_lock false positive splat Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 084/127] tcp/dccp: fix timewait races in timer handling Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 086/127] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 088/127] batman-adv: Avoid recursive call_rcu for batadv_bla_claim Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 089/127] batman-adv: Avoid recursive call_rcu for batadv_nc_node Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 090/127] batman-adv: Drop immediate batadv_orig_ifinfo free function Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 091/127] batman-adv: Drop immediate batadv_neigh_node " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 092/127] batman-adv: Drop immediate neigh_ifinfo " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 093/127] batman-adv: Drop immediate batadv_hard_iface " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 094/127] batman-adv: Drop immediate orig_node " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 095/127] team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 096/127] sctp: Prevent soft lockup when sctp_accept() is called during a timeout event Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 097/127] xen-netback: respect user provided max_queues Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 098/127] xen-netfront: " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 099/127] xen-netfront: update num_queues to real created Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 100/127] xfrm: dst_entries_init() per-net dst_ops Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 101/127] powerpc/tm: Block signal return setting invalid MSR state Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 102/127] powerpc/tm: Check for already reclaimed tasks Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 103/127] powerpc/powernv: pr_warn_once on unsupported OPAL_MSG type Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 104/127] powerpc: Make value-returning atomics fully ordered Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 105/127] powerpc: Make {cmp}xchg* and their atomic_ versions " Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 106/127] scripts/recordmcount.pl: support data in text section on powerpc Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 107/127] powerpc/module: Handle R_PPC64_ENTRY relocations Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 108/127] recordmcount: arm64: Replace the ignored mcount call into nop Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 109/127] arm64: bpf: fix div-by-zero case Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 110/127] arm64: bpf: fix mod-by-zero case Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 111/127] arm64: mm: use correct mapping granularity under DEBUG_RODATA Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 112/127] arm64: kernel: pause/unpause function graph tracer in cpu_suspend() Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 113/127] ARM/arm64: KVM: test properly for a PTEs uncachedness Greg Kroah-Hartman
2016-02-01 11:03 ` Christoffer Dall
2016-01-27 18:14 ` [PATCH 4.1 114/127] arm64: KVM: Fix AArch32 to AArch64 register mapping Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 115/127] arm64: fix building without CONFIG_UID16 Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 116/127] ARM/arm64: KVM: correct PTE uncachedness check Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 117/127] arm64: Clear out any singlestep state on a ptrace detach operation Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 118/127] arm64: mm: ensure that the zero page is visible to the page table walker Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 120/127] parisc iommu: fix panic due to trying to allocate too large region Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 121/127] HID: core: Avoid uninitialized buffer access Greg Kroah-Hartman
2016-01-27 18:14 ` Greg Kroah-Hartman [this message]
2016-01-27 18:14 ` [PATCH 4.1 124/127] direct-io: Fix negative return from dio read beyond eof Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 125/127] fix the regression from "direct-io: Fix negative return from dio read beyond eof" Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 126/127] mn10300: Select CONFIG_HAVE_UID16 to fix build failure Greg Kroah-Hartman
2016-01-27 18:14 ` [PATCH 4.1 127/127] arm64: restore bogomips information in /proc/cpuinfo Greg Kroah-Hartman
2016-01-27 23:28 ` [PATCH 4.1 000/127] 4.1.17-stable review Shuah Khan
2016-01-28 2:14 ` Guenter Roeck
2016-01-28 2:18 ` Guenter Roeck
2016-01-28 8:17 ` Ard Biesheuvel
2016-01-31 19:20 ` Greg Kroah-Hartman
2016-01-31 19:21 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160127180811.957945644@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).