diff options
| author | Dan Rosenberg <dan.j.rosenberg@gmail.com> | 2010-07-19 16:58:20 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-08-02 10:26:32 -0700 |
| commit | 31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2 (patch) | |
| tree | ad18430408cc3bba9737dbf39cb5a60114cc4b11 /sound/pci/cs5535audio/cs5535audio.h | |
| parent | 394c17d4076fe95d0033e6be390629c8fbb6ebdb (diff) | |
| download | lwn-31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2.tar.gz lwn-31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2.zip | |
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream.
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.
2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around). I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't. Even if it's not
exploitable, it couldn't hurt to be safe.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'sound/pci/cs5535audio/cs5535audio.h')
0 files changed, 0 insertions, 0 deletions