[kernel] r22393 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Tue Feb 17 04:50:11 UTC 2015
Author: benh
Date: Tue Feb 17 04:50:11 2015
New Revision: 22393
Log:
vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Tue Feb 17 04:40:53 2015 (r22392)
+++ dists/wheezy-security/linux/debian/changelog Tue Feb 17 04:50:11 2015 (r22393)
@@ -16,6 +16,7 @@
* vfs: move d_rcu from overlapping d_child to overlapping d_alias
* aufs: move d_rcu from overlapping d_child to overlapping d_alias
* vfs: deal with deadlock in d_walk() (CVE-2014-8559)
+ * vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
-- Ben Hutchings <ben at decadent.org.uk> Thu, 29 Jan 2015 04:02:31 +0000
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch Tue Feb 17 04:50:11 2015 (r22393)
@@ -0,0 +1,37 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Subject: vfs: read file_handle only once in handle_to_path
+Date: Wed, 28 Jan 2015 15:30:43 -0500
+Origin: http://article.gmane.org/gmane.linux.file-systems/92438
+
+We used to read file_handle twice. Once to get the amount of extra bytes, and
+once to fetch the entire structure.
+
+This may be problematic since we do size verifications only after the first
+read, so if the number of extra bytes changes in userspace between the first
+and second calls, we'll have an incoherent view of file_handle.
+
+Instead, read the constant size once, and copy that over to the final
+structure without having to re-read it again.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+Change in v2:
+ - Use the f_handle pointer rather than size of struct
+
+ fs/fhandle.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -196,8 +196,9 @@ static int handle_to_path(int mountdirfd
+ goto out_err;
+ }
+ /* copy the full handle */
+- if (copy_from_user(handle, ufh,
+- sizeof(struct file_handle) +
++ *handle = f_handle;
++ if (copy_from_user(&handle->f_handle,
++ &ufh->f_handle,
+ f_handle.handle_bytes)) {
+ retval = -EFAULT;
+ goto out_handle;
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Tue Feb 17 04:40:53 2015 (r22392)
+++ dists/wheezy-security/linux/debian/patches/series Tue Feb 17 04:50:11 2015 (r22393)
@@ -1166,3 +1166,4 @@
bugfix/all/deal-with-deadlock-in-d_walk.patch
bugfix/all/dcache-fix-locking-bugs-in-backported-deal-with-deadlock-in-d_walk.patch
debian/vfs-avoid-abi-change-for-dentry-union-changes.patch
+bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
More information about the Kernel-svn-changes
mailing list