diff options
| author | Miklos Szeredi <mszeredi@suse.cz> | 2011-07-06 06:33:55 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-07-06 13:41:13 -0400 |
| commit | a51cb91d81f8e6fc4e5e08b772cc3ceb13ac9d37 (patch) | |
| tree | b6289a258d552b9c0daea02b898425d911f4fee9 /fs | |
| parent | a2fa83faf47b514ab947cea916d3691b66525073 (diff) | |
fs: fix lock initialization
locks_alloc_lock() assumed that the allocated struct file_lock is
already initialized to zero members. This is only true for the first
allocation of the structure, after reuse some of the members will have
random values.
This will for example result in passing random fl_start values to
userspace in fuse for FL_FLOCK locks, which is an information leak at
best.
Fix by reinitializing those members which may be non-zero after freeing.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/locks.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/fs/locks.c b/fs/locks.c index 0a4f50dfadfb..b286539d547a 100644 --- a/fs/locks.c +++ b/fs/locks.c | |||
| @@ -160,10 +160,28 @@ EXPORT_SYMBOL_GPL(unlock_flocks); | |||
| 160 | 160 | ||
| 161 | static struct kmem_cache *filelock_cache __read_mostly; | 161 | static struct kmem_cache *filelock_cache __read_mostly; |
| 162 | 162 | ||
| 163 | static void locks_init_lock_always(struct file_lock *fl) | ||
| 164 | { | ||
| 165 | fl->fl_next = NULL; | ||
| 166 | fl->fl_fasync = NULL; | ||
| 167 | fl->fl_owner = NULL; | ||
| 168 | fl->fl_pid = 0; | ||
| 169 | fl->fl_nspid = NULL; | ||
| 170 | fl->fl_file = NULL; | ||
| 171 | fl->fl_flags = 0; | ||
| 172 | fl->fl_type = 0; | ||
| 173 | fl->fl_start = fl->fl_end = 0; | ||
| 174 | } | ||
| 175 | |||
| 163 | /* Allocate an empty lock structure. */ | 176 | /* Allocate an empty lock structure. */ |
| 164 | struct file_lock *locks_alloc_lock(void) | 177 | struct file_lock *locks_alloc_lock(void) |
| 165 | { | 178 | { |
| 166 | return kmem_cache_alloc(filelock_cache, GFP_KERNEL); | 179 | struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL); |
| 180 | |||
| 181 | if (fl) | ||
| 182 | locks_init_lock_always(fl); | ||
| 183 | |||
| 184 | return fl; | ||
| 167 | } | 185 | } |
| 168 | EXPORT_SYMBOL_GPL(locks_alloc_lock); | 186 | EXPORT_SYMBOL_GPL(locks_alloc_lock); |
| 169 | 187 | ||
| @@ -200,17 +218,9 @@ void locks_init_lock(struct file_lock *fl) | |||
| 200 | INIT_LIST_HEAD(&fl->fl_link); | 218 | INIT_LIST_HEAD(&fl->fl_link); |
| 201 | INIT_LIST_HEAD(&fl->fl_block); | 219 | INIT_LIST_HEAD(&fl->fl_block); |
| 202 | init_waitqueue_head(&fl->fl_wait); | 220 | init_waitqueue_head(&fl->fl_wait); |
| 203 | fl->fl_next = NULL; | ||
| 204 | fl->fl_fasync = NULL; | ||
| 205 | fl->fl_owner = NULL; | ||
| 206 | fl->fl_pid = 0; | ||
| 207 | fl->fl_nspid = NULL; | ||
| 208 | fl->fl_file = NULL; | ||
| 209 | fl->fl_flags = 0; | ||
| 210 | fl->fl_type = 0; | ||
| 211 | fl->fl_start = fl->fl_end = 0; | ||
| 212 | fl->fl_ops = NULL; | 221 | fl->fl_ops = NULL; |
| 213 | fl->fl_lmops = NULL; | 222 | fl->fl_lmops = NULL; |
| 223 | locks_init_lock_always(fl); | ||
| 214 | } | 224 | } |
| 215 | 225 | ||
| 216 | EXPORT_SYMBOL(locks_init_lock); | 226 | EXPORT_SYMBOL(locks_init_lock); |