diff options
| author | Jann Horn <jann@thejh.net> | 2015-08-16 14:27:01 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-08-16 15:35:44 -0400 |
| commit | 8ed1f0e22f49ef42e63875fd2529389a32ff3566 (patch) | |
| tree | 9f388d7ec994747b8703d371b49e1e27921b2533 | |
| parent | 1efdb5f0a9243ca8f3460a5ce1b407b06a021f02 (diff) | |
fs/fuse: fix ioctl type confusion
fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
leading to a type confusion issue. Fix it by checking file->f_op.
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/fuse/dev.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 80cc1b35d460..ebb5e37455a0 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c | |||
| @@ -2246,7 +2246,15 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd, | |||
| 2246 | 2246 | ||
| 2247 | err = -EINVAL; | 2247 | err = -EINVAL; |
| 2248 | if (old) { | 2248 | if (old) { |
| 2249 | struct fuse_dev *fud = fuse_get_dev(old); | 2249 | struct fuse_dev *fud = NULL; |
| 2250 | |||
| 2251 | /* | ||
| 2252 | * Check against file->f_op because CUSE | ||
| 2253 | * uses the same ioctl handler. | ||
| 2254 | */ | ||
| 2255 | if (old->f_op == file->f_op && | ||
| 2256 | old->f_cred->user_ns == file->f_cred->user_ns) | ||
| 2257 | fud = fuse_get_dev(old); | ||
| 2250 | 2258 | ||
| 2251 | if (fud) { | 2259 | if (fud) { |
| 2252 | mutex_lock(&fuse_mutex); | 2260 | mutex_lock(&fuse_mutex); |