diff options
author | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2013-06-28 14:15:15 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-07-03 11:03:24 -0700 |
commit | c6c46477761504a89d5c68331f3b86fe31b51338 (patch) | |
tree | fbe0460d4a0cd273a42a98418dff9b84d6ff1cfc /include/linux | |
parent | 1f4f917e5e882de1e701d7b26955884ed16604d5 (diff) | |
download | kernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.zip kernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.tar.gz kernel_samsung_aries-c6c46477761504a89d5c68331f3b86fe31b51338.tar.bz2 |
UBIFS: fix a horrid bug
commit 605c912bb843c024b1ed173dc427cd5c08e5d54d upstream.
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.
This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.
I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions