diff options
| author | Jann Horn <jann@thejh.net> | 2015-09-11 16:27:27 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-10-01 11:36:11 +0200 |
| commit | cc45b90cf124f0f0afb07f81b6bb9f27bce3ad1a (patch) | |
| tree | ba43baf15770c9ceb4448025b3c078c3d02b03f0 /fs | |
| parent | 5d395c5df33ca77b6da7e36a1f971bdcc580ec4a (diff) | |
| download | lwn-cc45b90cf124f0f0afb07f81b6bb9f27bce3ad1a.tar.gz lwn-cc45b90cf124f0f0afb07f81b6bb9f27bce3ad1a.zip | |
CIFS: fix type confusion in copy offload ioctl
commit 4c17a6d56bb0cad3066a714e94f7185a24b40f49 upstream.
This might lead to local privilege escalation (code execution as
kernel) for systems where the following conditions are met:
- CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
- a cifs filesystem is mounted where:
- the mount option "vers" was used and set to a value >=2.0
- the attacker has write access to at least one file on the filesystem
To attack this, an attacker would have to guess the target_tcon
pointer (but guessing wrong doesn't cause a crash, it just returns an
error code) and win a narrow race.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/cifs/ioctl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c index dfc95646b88c..31df9bceedca 100644 --- a/fs/cifs/ioctl.c +++ b/fs/cifs/ioctl.c @@ -67,6 +67,12 @@ static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file, goto out_drop_write; } + if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) { + rc = -EBADF; + cifs_dbg(VFS, "src file seems to be from a different filesystem type\n"); + goto out_fput; + } + if ((!src_file.file->private_data) || (!dst_file->private_data)) { rc = -EBADF; cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n"); |