diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-13 07:40:54 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-06-13 07:49:58 -0400 |
| commit | 36711f9ba818beeee2e5b168cfa8481faf67fcb5 (patch) | |
| tree | d1f734b321177dfdf6607278885ac642c18ee04f /ecryptfs-forbid-opening-files-without-mmap-handler.patch | |
| parent | de84f0e0275164b15335d30e9516d4ebdfe1ebb5 (diff) | |
| download | kernel-36711f9ba818beeee2e5b168cfa8481faf67fcb5.tar.gz kernel-36711f9ba818beeee2e5b168cfa8481faf67fcb5.tar.xz kernel-36711f9ba818beeee2e5b168cfa8481faf67fcb5.zip | |
CVE-2016-1583 stack overflow via ecryptfs and /proc (rhbz 1344721 1344722)
Diffstat (limited to 'ecryptfs-forbid-opening-files-without-mmap-handler.patch')
| -rw-r--r-- | ecryptfs-forbid-opening-files-without-mmap-handler.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 000000000..2d40e68ed --- /dev/null +++ b/ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,59 @@ +From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Wed, 1 Jun 2016 11:55:06 +0200 +Subject: [PATCH] ecryptfs: forbid opening files without mmap handler + +This prevents users from triggering a stack overflow through a recursive +invocation of pagefault handling that involves mapping procfs files into +virtual memory. + +Signed-off-by: Jann Horn <jannh@google.com> +Acked-by: Tyler Hicks <tyhicks@canonical.com> +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/ecryptfs/kthread.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c +index 866bb18efefe..e818f5ac7a26 100644 +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,6 +25,7 @@ + #include <linux/slab.h> + #include <linux/wait.h> + #include <linux/mount.h> ++#include <linux/file.h> + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file, + flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto out; ++ goto have_file; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file, + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) ++ if (IS_ERR(*lower_file)) { + rc = PTR_ERR(*lower_file); ++ goto out; ++ } ++have_file: ++ if ((*lower_file)->f_op->mmap == NULL) { ++ fput(*lower_file); ++ *lower_file = NULL; ++ rc = -EMEDIUMTYPE; ++ } + out: + return rc; + } +-- +2.5.5 + |