summaryrefslogtreecommitdiff
path: root/mm/slob.c
diff options
context:
space:
mode:
authorArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2013-06-28 14:15:15 +0300
committerAl Viro <viro@zeniv.linux.org.uk>2013-06-29 12:45:37 +0400
commit605c912bb843c024b1ed173dc427cd5c08e5d54d (patch)
tree4a5e9905f615e3e7f5a29c8fa21f5e5e9823aaeb /mm/slob.c
parent33f1a63ae84dfd9ad298cf275b8f1887043ced36 (diff)
downloadlinux-3.10-605c912bb843c024b1ed173dc427cd5c08e5d54d.tar.gz
linux-3.10-605c912bb843c024b1ed173dc427cd5c08e5d54d.tar.bz2
linux-3.10-605c912bb843c024b1ed173dc427cd5c08e5d54d.zip
UBIFS: fix a horrid bug
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'mm/slob.c')
0 files changed, 0 insertions, 0 deletions