diff options
author | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2013-06-28 14:15:15 +0300 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2013-06-29 12:45:37 +0400 |
commit | 605c912bb843c024b1ed173dc427cd5c08e5d54d (patch) | |
tree | 4a5e9905f615e3e7f5a29c8fa21f5e5e9823aaeb /arch/arm/include/asm/pgtable-nommu.h | |
parent | 33f1a63ae84dfd9ad298cf275b8f1887043ced36 (diff) | |
download | linux-605c912bb843c024b1ed173dc427cd5c08e5d54d.tar.gz linux-605c912bb843c024b1ed173dc427cd5c08e5d54d.tar.bz2 linux-605c912bb843c024b1ed173dc427cd5c08e5d54d.zip |
UBIFS: fix a horrid bug
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.
This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.
I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.
Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'arch/arm/include/asm/pgtable-nommu.h')
0 files changed, 0 insertions, 0 deletions