[kernel] r22398 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Tue Feb 17 05:19:56 UTC 2015 

Author: benh
Date: Tue Feb 17 05:19:56 2015
New Revision: 22398

Log:
vfs: read file_handle only once in handle_to_path (CVE-2015-1420)

Added:
   dists/sid/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Tue Feb 17 05:07:48 2015	(r22397)
+++ dists/sid/linux/debian/changelog	Tue Feb 17 05:19:56 2015	(r22398)
@@ -6,6 +6,7 @@
   [ Ben Hutchings ]
   * shm: add memfd.h to UAPI export list, so kdbus will build
   * [x86] HPET force enable for e6xx based systems (Closes: #772951)
+  * vfs: read file_handle only once in handle_to_path (CVE-2015-1420)
 
  -- Ian Campbell <ijc at debian.org>  Mon, 09 Feb 2015 06:17:31 +0000
 

Added: dists/sid/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch	Tue Feb 17 05:19:56 2015	(r22398)
@@ -0,0 +1,37 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Subject: vfs: read file_handle only once in handle_to_path
+Date: Wed, 28 Jan 2015 15:30:43 -0500
+Origin: http://article.gmane.org/gmane.linux.file-systems/92438
+
+We used to read file_handle twice. Once to get the amount of extra bytes, and
+once to fetch the entire structure.
+
+This may be problematic since we do size verifications only after the first
+read, so if the number of extra bytes changes in userspace between the first
+and second calls, we'll have an incoherent view of file_handle.
+
+Instead, read the constant size once, and copy that over to the final
+structure without having to re-read it again.
+
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+Change in v2:
+ - Use the f_handle pointer rather than size of struct
+
+ fs/fhandle.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/fhandle.c
++++ b/fs/fhandle.c
+@@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd
+ 		goto out_err;
+ 	}
+ 	/* copy the full handle */
+-	if (copy_from_user(handle, ufh,
+-			   sizeof(struct file_handle) +
++	*handle = f_handle;
++	if (copy_from_user(&handle->f_handle,
++			   &ufh->f_handle,
+ 			   f_handle.handle_bytes)) {
+ 		retval = -EFAULT;
+ 		goto out_handle;

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Tue Feb 17 05:07:48 2015	(r22397)
+++ dists/sid/linux/debian/patches/series	Tue Feb 17 05:19:56 2015	(r22398)
@@ -503,3 +503,4 @@
 bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-.patch
 features/all/kdbus/shm-add-memfd.h-to-uapi-export-list.patch
 bugfix/x86/x86-hpet-force-enable-for-e6xx-based-systems.patch
+bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch

More information about the Kernel-svn-changes mailing list