diff options
author | Darrick J. Wong <darrick.wong@oracle.com> | 2017-04-03 15:17:57 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-06-07 12:06:02 +0200 |
commit | 0ace12c11401b813a60a2d8b3b95aee183312dde (patch) | |
tree | 4f3eac7f0c854c255b6330842a23e4edf0dd9a4f /fs | |
parent | fe705621b9b43dcc1c2acd0f1c3af66ddeb9f617 (diff) |
xfs: fix over-copying of getbmap parameters from userspace
commit be6324c00c4d1e0e665f03ed1fc18863a88da119 upstream.
In xfs_ioc_getbmap, we should only copy the fields of struct getbmap
from userspace, or else we end up copying random stack contents into the
kernel. struct getbmap is a strict subset of getbmapx, so a partial
structure copy should work fine.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/xfs/xfs_ioctl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index d42738deec6d..08479daa6781 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1379,10 +1379,11 @@ xfs_ioc_getbmap( unsigned int cmd, void __user *arg) { - struct getbmapx bmx; + struct getbmapx bmx = { 0 }; int error; - if (copy_from_user(&bmx, arg, sizeof(struct getbmapx))) + /* struct getbmap is a strict subset of struct getbmapx. */ + if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags))) return -EFAULT; if (bmx.bmv_count < 2) |