diff options
| author | Jann Horn <jann@thejh.net> | 2015-09-11 15:39:33 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-07-15 17:30:06 -0400 |
| commit | 3e0a396546450536679ae4d3bd70290ce0b0c79c (patch) | |
| tree | 1de0a003e5f230a2f5dfd63dfa837488ef8a728a | |
| parent | aa93d1fee85c890a34f2510a310e55ee76a27848 (diff) | |
xfs: fix type confusion in xfs_ioc_swapext
Without this check, the following XFS_I invocations would return bad
pointers when used on non-XFS inodes (perhaps pointers into preceding
allocator chunks).
This could be used by an attacker to trick xfs_swap_extents into
performing locking operations on attacker-chosen structures in kernel
memory, potentially leading to code execution in the kernel. (I have
not investigated how likely this is to be usable for an attack in
practice.)
Signed-off-by: Jann Horn <jann@thejh.net>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/xfs/xfs_ioctl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index dbca7375deef..63a6ff2cfc68 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c | |||
| @@ -1575,6 +1575,12 @@ xfs_ioc_swapext( | |||
| 1575 | goto out_put_tmp_file; | 1575 | goto out_put_tmp_file; |
| 1576 | } | 1576 | } |
| 1577 | 1577 | ||
| 1578 | if (f.file->f_op != &xfs_file_operations || | ||
| 1579 | tmp.file->f_op != &xfs_file_operations) { | ||
| 1580 | error = -EINVAL; | ||
| 1581 | goto out_put_tmp_file; | ||
| 1582 | } | ||
| 1583 | |||
| 1578 | ip = XFS_I(file_inode(f.file)); | 1584 | ip = XFS_I(file_inode(f.file)); |
| 1579 | tip = XFS_I(file_inode(tmp.file)); | 1585 | tip = XFS_I(file_inode(tmp.file)); |
| 1580 | 1586 | ||