On Wed, 2017-04-12 at 11:59 -0700, Kees Cook wrote:
> On Wed, Apr 5, 2017 at 8:29 AM, Kees Cook <keescook@xxxxxxxxxxxx>
> wrote:
> > When the call to nfs_devname() fails, the error path attempts to
> > retain
> > the error via the mnt variable, but this requires a cast across
> > very
> > different types (char * to struct vfsmount *), which the upcoming
> > structure layout randomization plugin flags as being potentially
> > dangerous in the face of randomization. This is a false positive,
> > but
> > what this code actually wants to do is retain the error value, so
> > this
> > patch explicitly sets it, instead of using what seems to be an
> > unexpected cast.
> >
> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> If I can get an Acked-by on this, I could push it via the gcc-plugin
> tree.
>
> Thanks!
>
> -Kees
>
> > ---
> > v2: duh, use ERR_CAST. thanks neilb!
> > ---
> > fs/nfs/namespace.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
> > index 786f17580582..8ca5d147124d 100644
> > --- a/fs/nfs/namespace.c
> > +++ b/fs/nfs/namespace.c
> > @@ -259,9 +259,10 @@ struct vfsmount *nfs_do_submount(struct dentry
> > *dentry, struct nfs_fh *fh,
> > if (page == NULL)
> > goto out;
> > devname = nfs_devname(dentry, page, PAGE_SIZE);
> > - mnt = (struct vfsmount *)devname;
> > - if (IS_ERR(devname))
> > + if (IS_ERR(devname)) {
> > + mnt = ERR_CAST(devname);
> > goto free_page;
> > + }
> > mnt = nfs_do_clone_mount(NFS_SB(dentry->d_sb), devname,
> > &mountdata);
> > free_page:
> > free_page((unsigned long)page);
> > --
> > 2.7.4
> >
> >
> > --
> > Kees Cook
> > Pixel Security
>
Acked-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
--
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@xxxxxxxxxxxxxxx
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
