github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 15:42:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d2d0adce41
linux/fs
History
Jeff Layton bb60c07c75 cifs: fix potential buffer overrun in cifs.idmap handling code 
commit 36960e440c upstream.

The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.

When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid->sub_auths array.

Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with >5 subauths, or fix it
to handle the subauths array dynamically.

At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.

Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.

Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.

Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-11-26 11:37:41 -08:00
..
9p 9p changes for the 3.4 merge window 2012-03-28 09:58:38 -07:00
adfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
affs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
afs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
autofs4 autofs4 - fix reset pending flag on mount fail 2012-10-21 09:27:59 -07:00
befs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
bfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
btrfs Btrfs: call the ordered free operation without any locks held 2012-08-09 08:31:37 -07:00
cachefiles switch touch_atime to struct path 2012-03-20 21:29:41 -04:00
ceph tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking 2012-10-21 09:27:57 -07:00
cifs cifs: fix potential buffer overrun in cifs.idmap handling code 2012-11-26 11:37:41 -08:00
coda Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
configfs make configfs_pin_fs() return root dentry on success 2012-03-20 21:29:48 -04:00
cramfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
debugfs simple_open: automatically convert to simple_open() 2012-04-05 15:25:50 -07:00
devpts Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
dlm dlm fixes for 3.4 2012-04-23 18:22:42 -07:00
ecryptfs eCryptfs: Call lower ->flush() from ecryptfs_flush() 2012-10-21 09:28:01 -07:00
efs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
exofs ore: Fix out-of-bounds access in _ios_obj() 2012-08-15 08:10:09 -07:00
exportfs
ext2 migrate ext2_fs.h guts to fs/ext2/ext2.h 2012-03-31 16:03:16 -04:00
ext3 ext3: Fix fdatasync() for files with only i_size changes 2012-09-14 10:00:32 -07:00
ext4 ext4: fix unjournaled inode bitmap modification 2012-11-05 09:50:41 +01:00
fat fat: fix bug in enforcing Long File Name length 2012-03-23 16:58:40 -07:00
freevxfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
fscache
fuse fuse: fix retrieve length 2012-09-14 10:00:32 -07:00
gfs2 tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking 2012-10-21 09:27:57 -07:00
hfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
hfsplus hfsplus: fix bless ioctl when used with hardlinks 2012-06-22 11:36:57 -07:00
hostfs Merge branch 'for-linus-3.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml 2012-03-27 18:29:53 -07:00
hpfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
hppfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
hugetlbfs hugetlbfs: lockdep annotate root inode properly 2012-04-25 21:26:34 -07:00
isofs tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking 2012-10-21 09:27:57 -07:00
jbd jbd: Fix assertion failure in commit code due to lacking transaction credits 2012-10-21 09:28:01 -07:00
jbd2 jbd2: don't write superblock when if its empty 2012-10-13 05:38:39 +09:00
jffs2 JFFS2: don't fail on bitflips in OOB 2012-10-13 05:39:00 +09:00
jfs jfs: mising cleanup on register_filesystem() failure 2012-03-20 21:29:48 -04:00
lockd NLM: nlm_lookup_file() may return NLMv4-specific error codes 2012-10-28 10:14:13 -07:00
logfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
minix Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
ncpfs Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
nfs NFS: Fix Oopses in nfs_lookup_revalidate and nfs4_lookup_revalidate 2012-11-17 13:16:12 -08:00
nfs_common
nfsd nfsd: add get_uint for u32's 2012-11-17 13:16:12 -08:00
nilfs2 nilfs2: fix deadlock issue between chcp and thaw ioctls 2012-08-15 08:10:05 -07:00
nls NLS: raname "maxlen" to "maxout" in UTF conversion routines 2011-11-26 19:58:47 -08:00
notify fanotify: fix missing break 2012-11-26 11:37:41 -08:00
ntfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
ocfs2 ocfs2: fix NULL pointer dereference in __ocfs2_change_file_space() 2012-07-16 09:04:45 -07:00
omfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
openpromfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
proc nohz: Fix idle ticks in cpu summary line of /proc/stat 2012-10-28 10:14:12 -07:00
pstore Merge branch 'akpm' (Andrew's patch-bomb) 2012-04-05 15:30:34 -07:00
qnx4 qnx4: new helper - try_extent() 2012-03-20 21:29:52 -04:00
qnx6 fs: initial qnx6fs addition 2012-03-20 21:29:38 -04:00
quota Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs 2012-03-28 10:00:14 -07:00
ramfs fs: ramfs: file-nommu: add SetPageUptodate() 2012-07-16 09:04:45 -07:00
reiserfs tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking 2012-10-21 09:27:57 -07:00
romfs MTD merge for 3.4 2012-03-30 17:31:56 -07:00
squashfs Add an extra mount time sanity check, plus some code cleanups and bug fixes. 2012-03-28 18:05:54 -07:00
sysfs sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() 2012-10-31 10:02:57 -07:00
sysv switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
ubifs UBIFS: fix complaints about too small debug buffer size 2012-09-14 10:00:17 -07:00
udf udf: fix retun value on error path in udf_load_logicalvol 2012-10-13 05:39:00 +09:00
ufs Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
xfs xfs: drop buffer io reference when a bad bio is built 2012-11-26 11:37:36 -08:00
aio.c vfs: make AIO use the proper rw_verify_area() area helpers 2012-06-01 15:18:14 +08:00
anon_inodes.c anon_inodes: move allocation of anon_inode into ->mount() 2012-03-20 21:29:45 -04:00
attr.c vfs: increment iversion when a file is truncated 2012-06-10 00:36:12 +09:00
bad_inode.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
binfmt_aout.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_elf_fdpic.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_elf.c coredump: prevent double-free on an error path in core dumper 2012-10-07 08:32:27 -07:00
binfmt_em86.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_flat.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_misc.c magic.h: move some FS magic numbers into magic.h 2012-03-23 16:58:31 -07:00
binfmt_script.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_som.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
bio-integrity.c fs: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:21 +08:00
bio.c bio allocation failure due to bio_get_nr_vecs() 2012-05-11 16:45:12 +02:00
block_dev.c block: don't mark buffers beyond end of disk as mapped 2012-05-11 16:42:14 +02:00
buffer.c block: replace __getblk_slow misfix by grow_dev_page fix 2012-09-14 10:00:20 -07:00
char_dev.c char_dev.c: fix up some whitespace errors 2011-12-13 11:18:17 -08:00
compat_binfmt_elf.c
compat_ioctl.c fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check 2012-10-31 10:02:55 -07:00
compat.c vfs: missed source of ->f_pos races 2012-09-14 10:00:05 -07:00
dcache.c vfs: dcache: fix deadlock in tree traversal 2012-10-07 08:32:22 -07:00
dcookies.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
direct-io.c Restore direct_io / truncate locking API 2012-02-23 15:56:21 -08:00
drop_caches.c
eventfd.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
eventpoll.c epoll: clear the tfile_check_list on -ELOOP 2012-04-25 21:26:33 -07:00
exec.c freezer: exec should clear PF_NOFREEZE along with PF_KTHREAD 2012-10-31 10:03:02 -07:00
fcntl.c Wrap accesses to the fd_sets in struct fdtable 2012-02-19 10:30:52 -08:00
fhandle.c vfs: prefer ->dentry->d_sb to ->mnt->mnt_sb 2012-01-06 23:16:53 -05:00
fifo.c fifo: Do not restart open() if it already found a partner 2012-07-19 08:58:56 -07:00
file_table.c vfs: drop_file_write_access() made static 2012-03-20 21:29:32 -04:00
file.c Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-29 18:12:23 -07:00
filesystems.c vfs: convert fs_supers to hlist 2012-01-03 22:52:39 -05:00
fs_struct.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
fs-writeback.c ext4: fix potential deadlock in ext4_nonda_switch() 2012-10-13 05:38:49 +09:00
generic_acl.c
inode.c trim includes in inode.c 2012-03-20 21:29:51 -04:00
internal.h vfs: protect remounting superblock read-only 2012-01-06 23:20:12 -05:00
ioctl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
ioprio.c block: strip out locking optimization in put_io_context() 2012-02-07 07:51:30 +01:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
Kconfig.binfmt fs: binfmt_elf: create Kconfig variable for PIE randomization 2012-01-10 16:30:51 -08:00
libfs.c dentry leak in simple_fill_super() failure exit 2012-04-09 01:39:22 -04:00
locks.c locks: fix checking of fcntl_setlease argument 2012-08-09 08:31:29 -07:00
Makefile fs: initial qnx6fs addition 2012-03-20 21:29:38 -04:00
mbcache.c
mount.h vfs: keep list of mounts for each superblock 2012-01-06 23:20:12 -05:00
mpage.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
namei.c vfs: make word-at-a-time accesses handle a non-existing page 2012-05-03 14:01:40 -07:00
namespace.c vfs: umount_tree() might be called on subtree that had never made it 2012-06-10 00:36:12 +09:00
no-block.c
open.c vfs: canonicalize create mode in build_open_flags() 2012-09-14 10:00:05 -07:00
pipe.c pipes: add a "packetized pipe" mode for writing 2012-04-29 13:12:42 -07:00
pnode.c vfs: switch pnode.h macros to struct mount * 2012-01-03 22:57:11 -05:00
pnode.h vfs: switch pnode.h macros to struct mount * 2012-01-03 22:57:11 -05:00
posix_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
proc_namespace.c vfs: switch ->show_options() to struct dentry * 2012-01-06 23:19:54 -05:00
read_write.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
read_write.h
readdir.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
select.c posix_types.h: Cleanup stale __NFDBITS and related definitions 2012-08-09 08:31:39 -07:00
seq_file.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
signalfd.c epoll: ep_unregister_pollwait() can use the freed pwq->whead 2012-02-24 11:42:50 -08:00
splice.c splice: fix racy pipe->buffers uses 2012-07-16 09:04:42 -07:00
stack.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
stat.c vfs: make O_PATH file descriptors usable for 'fstat()' 2012-10-02 10:29:51 -07:00
statfs.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
super.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
sync.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
timerfd.c
utimes.c
xattr_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
xattr.c fs/xattr.c:setxattr(): improve handling of allocation failures 2012-04-05 15:25:50 -07:00