linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Zach Brown <zab@redhat.com>,
	Miklos Szeredi <mszeredi@suse.cz>
Subject: [ 04/32] fuse: verify all ioctl retry iov elements
Date: Sun, 19 Aug 2012 20:57:00 -0700	[thread overview]
Message-ID: <20120820035648.469927264@linuxfoundation.org> (raw)
In-Reply-To: <20120820035647.862247088@linuxfoundation.org>

From: Greg KH <gregkh@linuxfoundation.org>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zach Brown <zab@redhat.com>

commit fb6ccff667712c46b4501b920ea73a326e49626a upstream.

Commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 attempted to verify that
the total iovec from the client doesn't overflow iov_length() but it
only checked the first element.  The iovec could still overflow by
starting with a small element.  The obvious fix is to check all the
elements.

The overflow case doesn't look dangerous to the kernel as the copy is
limited by the length after the overflow.  This fix restores the
intention of returning an error instead of successfully copying less
than the iovec represented.

I found this by code inspection.  I built it but don't have a test case.
I'm cc:ing stable because the initial commit did as well.

Signed-off-by: Zach Brown <zab@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1698,7 +1698,7 @@ static int fuse_verify_ioctl_iov(struct
 	size_t n;
 	u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT;
 
-	for (n = 0; n < count; n++) {
+	for (n = 0; n < count; n++, iov++) {
 		if (iov->iov_len > (size_t) max)
 			return -ENOMEM;
 		max -= iov->iov_len;



  parent reply	other threads:[~2012-08-20  3:57 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-20  3:56 [ 00/32] 3.4.10-stable review Greg Kroah-Hartman
2012-08-20  3:56 ` [ 01/32] s390/compat: fix compat wrappers for process_vm system calls Greg Kroah-Hartman
2012-08-20  3:56 ` [ 02/32] s390/compat: fix mmap compat " Greg Kroah-Hartman
2012-08-20  3:56 ` [ 03/32] dma: imx-dma: Fix kernel crash due to missing clock conversion Greg Kroah-Hartman
2012-08-20  3:57 ` Greg Kroah-Hartman [this message]
2012-08-20  3:57 ` [ 05/32] xen: mark local pages as FOREIGN in the m2p_override Greg Kroah-Hartman
2012-08-20  3:57 ` [ 06/32] drm/i915: prefer wide & slow to fast & narrow in DP configs Greg Kroah-Hartman
2012-08-20  3:57 ` [ 07/32] drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate Greg Kroah-Hartman
2012-08-20  3:57 ` [ 08/32] drm/i915: correctly order the ring init sequence Greg Kroah-Hartman
2012-08-24 23:03   ` Herton Ronaldo Krzesinski
2012-08-27  4:42     ` Greg Kroah-Hartman
2012-08-20  3:57 ` [ 09/32] drm/i915: ignore eDP bpc settings from vbt Greg Kroah-Hartman
2012-08-20  3:57 ` [ 10/32] drm/i915: reorder edp disabling to fix ivb MacBook Air Greg Kroah-Hartman
2012-08-20  3:57 ` [ 11/32] drm/radeon: properly handle crtc powergating Greg Kroah-Hartman
2012-08-20  3:57 ` [ 12/32] drm/radeon: do not reenable crtc after moving vram start address Greg Kroah-Hartman
2012-08-20  3:57 ` [ 13/32] drm/radeon: add some new SI pci ids Greg Kroah-Hartman
2012-08-20  3:57 ` [ 14/32] drm/radeon: fix bank tiling parameters on cayman Greg Kroah-Hartman
2012-08-20  3:57 ` [ 15/32] drm/radeon: fix bank tiling parameters on evergreen Greg Kroah-Hartman
2012-08-20  3:57 ` [ 16/32] ext4: make sure the journal sb is written in ext4_clear_journal_err() Greg Kroah-Hartman
2012-09-07  2:55   ` Ben Hutchings
2012-08-20  3:57 ` [ 17/32] ext4: avoid kmemcheck complaint from reading uninitialized memory Greg Kroah-Hartman
2012-08-20  3:57 ` [ 18/32] ext4: fix long mount times on very big file systems Greg Kroah-Hartman
2012-08-20  3:57 ` [ 19/32] ext4: fix kernel BUG on large-scale rm -rf commands Greg Kroah-Hartman
2012-08-20  3:57 ` [ 20/32] xhci: Add Etron XHCI_TRUST_TX_LENGTH quirk Greg Kroah-Hartman
2012-08-20  3:57 ` [ 21/32] xhci: Increase reset timeout for Renesas 720201 host Greg Kroah-Hartman
2012-08-20  3:57 ` [ 22/32] xhci: Switch PPT ports to EHCI on shutdown Greg Kroah-Hartman
2012-08-20  3:57 ` [ 23/32] xhci: Fix bug after deq ptr set to link TRB Greg Kroah-Hartman
2012-08-20  3:57 ` [ 24/32] USB: add USB_VENDOR_AND_INTERFACE_INFO() macro Greg Kroah-Hartman
2012-08-20  3:57 ` [ 25/32] pmac_zilog,kdb: Fix console poll hook to return instead of loop Greg Kroah-Hartman
2012-08-20  3:57 ` [ 26/32] IB/srp: Fix a race condition Greg Kroah-Hartman
2012-08-20  3:57 ` [ 27/32] USB: support the new interfaces of Huawei Data Card devices in option driver Greg Kroah-Hartman
2012-08-20  3:57 ` [ 28/32] USB: option: add ZTE K5006-Z Greg Kroah-Hartman
2012-08-20  3:57 ` [ 29/32] USB: ftdi_sio: Add VID/PID for Kondo Serial USB Greg Kroah-Hartman
2012-08-20  3:57 ` [ 30/32] usb: serial: mos7840: Fixup mos7840_chars_in_buffer() Greg Kroah-Hartman
2012-08-20  3:57 ` [ 31/32] usb: gadget: u_ether: fix kworker 100% CPU issue with still used interfaces in eth_stop Greg Kroah-Hartman
2012-08-20  3:57 ` [ 32/32] rt2x00: Add support for BUFFALO WLI-UC-GNM2 to rt2800usb Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120820035648.469927264@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mszeredi@suse.cz \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=zab@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).