aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2013-06-28 14:15:15 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-07-03 11:03:24 -0700
commitc6c46477761504a89d5c68331f3b86fe31b51338 (patch)
treefbe0460d4a0cd273a42a98418dff9b84d6ff1cfc /drivers
parent1f4f917e5e882de1e701d7b26955884ed16604d5 (diff)
downloadkernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.zip
kernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.tar.gz
kernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.tar.bz2
UBIFS: fix a horrid bug
commit 605c912bb843c024b1ed173dc427cd5c08e5d54d upstream. Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions