diff options
author | Jann Horn <jann@thejh.net> | 2016-01-05 18:27:30 +0100 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2016-01-08 21:18:13 -0500 |
commit | a7f61e89af73e9bf760826b20dba4e637221fcb9 (patch) | |
tree | 1a789dfbe2d49a18745416914e090425c44ae454 /fs/cifs | |
parent | 66cf191f3eae4582a83cb4251b75b43bee95a999 (diff) | |
download | lwn-a7f61e89af73e9bf760826b20dba4e637221fcb9.tar.gz lwn-a7f61e89af73e9bf760826b20dba4e637221fcb9.zip |
compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
This replaces all code in fs/compat_ioctl.c that translated
ioctl arguments into a in-kernel structure, then performed
do_ioctl under set_fs(KERNEL_DS), with code that allocates
data on the user stack and can call the VFS ioctl handler
under USER_DS.
This is done as a hardening measure because the caller
does not know what kind of ioctl handler will be invoked,
only that no corresponding compat_ioctl handler exists and
what the ioctl command number is. The accidental
invocation of an unlocked_ioctl handler that unexpectedly
calls copy_to_user could be a severe security issue.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/cifs')
0 files changed, 0 insertions, 0 deletions