From dfd470cb06a0608da732d704ded154a670763de5 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 17 Feb 2015 05:19:56 +0000 Subject: [PATCH] vfs: read file_handle only once in handle_to_path (CVE-2015-1420) svn path=/dists/sid/linux/; revision=22398 --- debian/changelog | 1 + ...e_handle-only-once-in-handle_to_path.patch | 37 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 39 insertions(+) create mode 100644 debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch diff --git a/debian/changelog b/debian/changelog index edc342d28..65398b910 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ linux (3.16.7-ckt4-4) UNRELEASED; urgency=medium [ Ben Hutchings ] * shm: add memfd.h to UAPI export list, so kdbus will build * [x86] HPET force enable for e6xx based systems (Closes: #772951) + * vfs: read file_handle only once in handle_to_path (CVE-2015-1420) -- Ian Campbell Mon, 09 Feb 2015 06:17:31 +0000 diff --git a/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch b/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch new file mode 100644 index 000000000..ecc1bbb52 --- /dev/null +++ b/debian/patches/bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch @@ -0,0 +1,37 @@ +From: Sasha Levin +Subject: vfs: read file_handle only once in handle_to_path +Date: Wed, 28 Jan 2015 15:30:43 -0500 +Origin: http://article.gmane.org/gmane.linux.file-systems/92438 + +We used to read file_handle twice. Once to get the amount of extra bytes, and +once to fetch the entire structure. + +This may be problematic since we do size verifications only after the first +read, so if the number of extra bytes changes in userspace between the first +and second calls, we'll have an incoherent view of file_handle. + +Instead, read the constant size once, and copy that over to the final +structure without having to re-read it again. + +Signed-off-by: Sasha Levin +--- +Change in v2: + - Use the f_handle pointer rather than size of struct + + fs/fhandle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -195,8 +195,9 @@ static int handle_to_path(int mountdirfd + goto out_err; + } + /* copy the full handle */ +- if (copy_from_user(handle, ufh, +- sizeof(struct file_handle) + ++ *handle = f_handle; ++ if (copy_from_user(&handle->f_handle, ++ &ufh->f_handle, + f_handle.handle_bytes)) { + retval = -EFAULT; + goto out_handle; diff --git a/debian/patches/series b/debian/patches/series index 27b609d2e..c157bc78c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -503,3 +503,4 @@ bugfix/x86/x86-tls-interpret-an-all-zero-struct-user_desc-as-no.patch bugfix/all/net-sctp-fix-slab-corruption-from-use-after-free-on-.patch features/all/kdbus/shm-add-memfd.h-to-uapi-export-list.patch bugfix/x86/x86-hpet-force-enable-for-e6xx-based-systems.patch +bugfix/all/vfs-read-file_handle-only-once-in-handle_to_path.patch