On Mon, May 12, 2014 at 02:34:17AM +0200, Willy Tarreau wrote: > 2.6.32-longterm review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > If we allocate less than sizeof(struct attrlist) then we end up > corrupting memory or doing a ZERO_PTR_SIZE dereference. > > This can only be triggered with CAP_SYS_ADMIN. > > Reported-by: Nico Golde <nico@xxxxxxxxx> > Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx> > Signed-off-by: Ben Myers <bpm@xxxxxxx> > > (cherry picked from commit 071c529eb672648ee8ca3f90944bcbcc730b4c06) > [dannf: backported to Debian's 2.6.32] > Signed-off-by: Willy Tarreau <w@xxxxxx> > --- > fs/xfs/linux-2.6/xfs_ioctl.c | 3 ++- > fs/xfs/linux-2.6/xfs_ioctl32.c | 4 ++-- > 2 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c > index 942362f..5663351 100644 > --- a/fs/xfs/linux-2.6/xfs_ioctl.c > +++ b/fs/xfs/linux-2.6/xfs_ioctl.c > @@ -410,7 +410,8 @@ xfs_attrlist_by_handle( > return -XFS_ERROR(EPERM); > if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) > return -XFS_ERROR(EFAULT); > - if (al_hreq.buflen > XATTR_LIST_MAX) > + if (al_hreq.buflen < sizeof(struct attrlist) || > + al_hreq.buflen > XATTR_LIST_MAX) > return -XFS_ERROR(EINVAL); > > /* > diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c > index bad485a..782d03d 100644 > --- a/fs/xfs/linux-2.6/xfs_ioctl32.c > +++ b/fs/xfs/linux-2.6/xfs_ioctl32.c > @@ -361,8 +361,8 @@ xfs_compat_attrlist_by_handle( > if (copy_from_user(&al_hreq, arg, > sizeof(compat_xfs_fsop_attrlist_handlereq_t))) > return -XFS_ERROR(EFAULT); > - if (al_hreq.buflen > XATTR_LIST_MAX) > - return -XFS_ERROR(EINVAL); Am I missing something or was the above return statement deleted by mistake? Cheers, -- Luís > + if (al_hreq.buflen < sizeof(struct attrlist) || > + al_hreq.buflen > XATTR_LIST_MAX) > > /* > * Reject flags, only allow namespaces. > -- > 1.7.12.2.21.g234cd45.dirty > > > > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html