mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-05 02:19:51 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/btrfs
History
Dan Rosenberg 51788b1bdd btrfs: prevent heap corruption in btrfs_ioctl_space_info() 
Commit bf5fc093c5 refactored
btrfs_ioctl_space_info() and introduced several security issues.

space_args.space_slots is an unsigned 64-bit type controlled by a
possibly unprivileged caller.  The comparison as a signed int type
allows providing values that are treated as negative and cause the
subsequent allocation size calculation to wrap, or be truncated to 0.
By providing a size that's truncated to 0, kmalloc() will return
ZERO_SIZE_PTR.  It's also possible to provide a value smaller than the
slot count.  The subsequent loop ignores the allocation size when
copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.

The fix changes the slot count type and comparison typecast to u64,
which prevents truncation or signedness errors, and also ensures that we
don't copy more data than we've allocated in the subsequent loop.  Note
that zero-size allocations are no longer possible since there is already
an explicit check for space_args.space_slots being 0 and truncation of
this value is no longer an issue.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Josef Bacik <josef@redhat.com>
Reviewed-by: Josef Bacik <josef@redhat.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
2011-02-14 16:04:23 -05:00
..
acl.c Merge branch 'bug-fixes' of git://repo.or.cz/linux-btrfs-devel into btrfs-38 2011-01-28 16:24:59 -05:00
async-thread.c Btrfs: don't walk around with task->state != TASK_RUNNING 2010-05-25 10:34:58 -04:00
async-thread.h Btrfs: fix deadlock on async thread startup 2009-10-05 09:44:45 -04:00
btrfs_inode.h btrfs: Allow to add new compression algorithm 2010-12-22 23:15:45 +08:00
compat.h Btrfs: drop remaining LINUX_KERNEL_VERSION checks and compat code 2009-01-06 09:38:55 -05:00
compression.c btrfs: Drop __exit attribute on btrfs_exit_compress 2011-02-06 07:19:19 -05:00
compression.h btrfs: Extract duplicate decompress code 2010-12-22 23:15:50 +08:00
ctree.c btrfs: check NULL or not 2011-01-16 11:30:20 -05:00
ctree.h Btrfs: forced readonly mounts on errors 2011-01-17 15:13:08 -05:00
delayed-ref.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
delayed-ref.h Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
dir-item.c Btrfs: Fix variables set but not read (bugs found by gcc 4.6) 2010-10-29 15:14:31 -04:00
disk-io.c Btrfs: fix page->private races 2011-02-14 13:03:52 -05:00
disk-io.h Btrfs: forced readonly mounts on errors 2011-01-17 15:13:08 -05:00
export.c btrfs: fix several uncheck memory allocations 2011-01-28 16:40:36 -05:00
export.h NFS support for btrfs - v3 2008-09-25 11:04:06 -04:00
extent-tree.c Btrfs: exclude super blocks when we read in block groups 2011-02-06 07:17:44 -05:00
extent_io.c Btrfs: don't release pages when we can't clear the uptodate bits 2011-02-14 13:04:01 -05:00
extent_io.h btrfs: Allow to add new compression algorithm 2010-12-22 23:15:45 +08:00
extent_map.c btrfs: Allow to add new compression algorithm 2010-12-22 23:15:45 +08:00
extent_map.h btrfs: Allow to add new compression algorithm 2010-12-22 23:15:45 +08:00
file-item.c Btrfs: do error checking in btrfs_del_csums 2011-01-28 16:42:34 -05:00
file.c Btrfs: Fix page count calculation 2011-02-07 14:13:51 -05:00
free-space-cache.c Btrfs: make sure search_bitmap finds something in remove_from_bitmap 2011-02-06 07:13:12 -05:00
free-space-cache.h Btrfs: load free space cache if it exists 2010-10-29 09:26:35 -04:00
hash.h Btrfs: remove crc32c.h and use libcrc32c directly. 2009-06-10 11:29:53 -04:00
inode-item.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
inode-map.c Btrfs: do not reuse objectid of deleted snapshot/subvol 2009-09-21 15:56:00 -04:00
inode.c btrfs: cleanup error handling in btrfs_unlink_inode() 2011-02-06 07:17:45 -05:00
ioctl.c btrfs: prevent heap corruption in btrfs_ioctl_space_info() 2011-02-14 16:04:23 -05:00
ioctl.h Merge branch 'lzo-support' of git://repo.or.cz/linux-btrfs-devel into btrfs-38 2011-01-16 11:25:54 -05:00
Kconfig btrfs: Add lzo compression support 2010-12-22 23:15:47 +08:00
locking.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
locking.h Btrfs: fix spinlock assertions on UP systems 2009-03-09 11:45:38 -04:00
lzo.c btrfs: Extract duplicate decompress code 2010-12-22 23:15:50 +08:00
Makefile btrfs: Add lzo compression support 2010-12-22 23:15:47 +08:00
ordered-data.c Btrfs: avoid uninit variable warnings in ordered-data.c 2011-01-31 20:33:37 -05:00
ordered-data.h btrfs: Allow to add new compression algorithm 2010-12-22 23:15:45 +08:00
orphan.c Btrfs: fixup return code for btrfs_del_orphan_item 2010-12-09 13:57:15 -05:00
print-tree.c btrfs: fix missing break in switch phrase 2011-01-28 16:40:37 -05:00
print-tree.h Btrfs: Create extent_buffer interface for large blocksizes 2008-09-25 11:03:56 -04:00
ref-cache.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ref-cache.h Btrfs: use RB_ROOT to intialize rb_trees instead of setting rb_node to NULL 2010-03-08 16:26:50 -05:00
relocation.c Btrfs: Fix balance panic 2011-02-14 16:00:03 -05:00
root-tree.c Btrfs: cleanup warnings from gcc 4.6 (nonbugs) 2010-10-29 15:14:37 -04:00
struct-funcs.c Btrfs: Fix checkpatch.pl warnings 2009-01-05 21:25:51 -05:00
super.c btrfs: fix return value check of btrfs_start_transaction() 2011-02-01 07:17:27 -05:00
sysfs.c Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
transaction.c btrfs: fix return value check of btrfs_join_transaction() 2011-01-28 16:40:37 -05:00
transaction.h Btrfs: Add readonly snapshots support 2010-12-23 08:49:17 +08:00
tree-defrag.c Btrfs: cleanup warnings from gcc 4.6 (nonbugs) 2010-10-29 15:14:37 -04:00
tree-log.c btrfs: fix return value check of btrfs_start_transaction() 2011-02-01 07:17:27 -05:00
tree-log.h Btrfs: Metadata ENOSPC handling for tree log 2010-05-25 10:34:53 -04:00
version.h Update Btrfs files for in-kernel usage 2008-09-25 15:41:59 -04:00
version.sh Btrfs: Fixes for 2.6.28-rc API changes 2008-11-19 21:17:22 -05:00
volumes.c btrfs: fix return value check of btrfs_start_transaction() 2011-02-01 07:17:27 -05:00
volumes.h btrfs: fix wrong free space information of btrfs 2011-01-16 11:30:19 -05:00
xattr.c Btrfs: Add readonly snapshots support 2010-12-23 08:49:17 +08:00
xattr.h btrfs: constify xattr_handler 2010-05-21 18:31:18 -04:00
zlib.c btrfs: Extract duplicate decompress code 2010-12-22 23:15:50 +08:00