Re: [PATCH v3.10-stable] splice: Apply generic position and size checks to each write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Greg,

On Fri, Mar 20, 2015 at 10:05:00AM +0100, Greg KH wrote:
> On Fri, Mar 20, 2015 at 04:59:42PM +0800, Zhang Zhen wrote:
> > We need to check the position and size of file writes against various
> > limits, using generic_write_check(). This was not being done for
> > the splice write path. It was fixed upstream by commit 8d0207652cbe
> > ("->splice_write() via ->write_iter()") but we can't apply that.
> > 
> > CVE-2014-7822
> > 
> > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> > [Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
> > Signed-off-by: Zhang Zhen <zhenzhang.zhang@xxxxxxxxxx>
> > ---
> >  fs/ocfs2/file.c | 8 +++++---
> >  fs/splice.c     | 8 ++++++--
> >  2 files changed, 11 insertions(+), 5 deletions(-)
> 
> What is the git commit id of this in Linus's tree?

The commit message refers to this one :

commit 8d0207652cbe27d1f962050737848e5ad4671958
Author: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Date:   Sat Apr 5 04:27:08 2014 -0400

    ->splice_write() via ->write_iter()
    
    iter_file_splice_write() - a ->splice_write() instance that gathers the
    pipe buffers, builds a bio_vec-based iov_iter covering those and feeds
    it to ->write_iter().  A bunch of simple cases coverted to that...
    
    [AV: fixed the braino spotted by Cyrill]
    
    Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>

However the fix is very different here, I think it would be prudent
to get Al's Ack on this one, especially after it's been ported from
another version.

Willy

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]