summaryrefslogtreecommitdiff
path: root/arch/cris/include
diff options
context:
space:
mode:
authorArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2013-06-28 11:15:15 (GMT)
committerAl Viro <viro@zeniv.linux.org.uk>2013-06-29 08:45:37 (GMT)
commit605c912bb843c024b1ed173dc427cd5c08e5d54d (patch)
tree4a5e9905f615e3e7f5a29c8fa21f5e5e9823aaeb /arch/cris/include
parent33f1a63ae84dfd9ad298cf275b8f1887043ced36 (diff)
downloadlinux-fsl-qoriq-605c912bb843c024b1ed173dc427cd5c08e5d54d.tar.xz
UBIFS: fix a horrid bug
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'arch/cris/include')
0 files changed, 0 insertions, 0 deletions