| commit | 8875b99e83a4437b5a3f731c1b295bc290578224 | |
| author | Dan Rosenberg <dan.j.rosenberg@gmail.com> | |
| Mon, 19 Jul 2010 20:58:20 +0000 (19 16:58 -0400) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Mon, 2 Aug 2010 17:20:47 +0000 (2 10:20 -0700) | ||
| tree | 31e100689225191031e5d8298cffd3a252834e7e | treesnapshot (tar.gz zip) |
| parent | 7d7810cdb93c6afcf77d8b6109f345009556e78c | commitdiff |
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream.
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.
2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around). I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't. Even if it's not
exploitable, it couldn't hurt to be safe.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream.
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.
2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around). I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't. Even if it's not
exploitable, it couldn't hurt to be safe.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| fs/btrfs/ioctl.c | diffblobblamehistory |