summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTycho Andersen <tycho@tycho.ws>2018-11-02 23:18:22 +0300
committerDavid Teigland <teigland@redhat.com>2018-11-08 01:12:45 +0300
commit9de30f3f7f4d31037cfbb7c787e1089c1944b3a7 (patch)
treea2f6cc3d4b1c5aff5537378f57a8d4291ea28392
parent3f0806d2596de0a9ec381f37f97f6f5dbf1c6366 (diff)
downloadlinux-9de30f3f7f4d31037cfbb7c787e1089c1944b3a7.tar.xz
dlm: don't leak kernel pointer to userspace
In copy_result_to_user(), we first create a struct dlm_lock_result, which contains a struct dlm_lksb, the last member of which is a pointer to the lvb. Unfortunately, we copy the entire struct dlm_lksb to the result struct, which is then copied to userspace at the end of the function, leaking the contents of sb_lvbptr, which is a valid kernel pointer in some cases (indeed, later in the same function the data it points to is copied to userspace). It is an error to leak kernel pointers to userspace, as it undermines KASLR protections (see e.g. 65eea8edc31 ("floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl") for another example of this). Signed-off-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: David Teigland <teigland@redhat.com>
-rw-r--r--fs/dlm/user.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 2a669390cd7f..13f29409600b 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -702,7 +702,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat,
result.version[0] = DLM_DEVICE_VERSION_MAJOR;
result.version[1] = DLM_DEVICE_VERSION_MINOR;
result.version[2] = DLM_DEVICE_VERSION_PATCH;
- memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb));
+ memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr));
result.user_lksb = ua->user_lksb;
/* FIXME: dlm1 provides for the user's bastparam/addr to not be updated