www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Sachin Prabhu <sprabhu@redhat.com>
	Tue, 17 Apr 2012 13:35:39 +0000 (14:35 +0100)
committer	Maxim Uvarov <maxim.uvarov@oracle.com>
	Wed, 19 Dec 2012 13:36:26 +0000 (05:36 -0800)
commit	936ae8f34a2be083595aa9136fe44ba46ee0d37c
tree	ce3093b1743239b0b6cbb8ace31c6313fc51b54a	tree
parent	c85fc9c2d92cca5c01315a7b0dd32ea20054ede6	commit \| diff

Avoid reading past buffer when calling GETACL

Bug-db: 14798
CVE: CVE-2012-2375
(mainline commit 5a00689930ab975fdd1b37b034475017e460cf2a)
Bug noticed in commit
bf118a342f10dafe44b14451a1392c3254629a1f

When calling GETACL, if the size of the bitmap array, the length
attribute and the acl returned by the server is greater than the
allocated buffer(args.acl_len), we can Oops with a General Protection
fault at _copy_from_pages() when we attempt to read past the pages
allocated.

This patch allocates an extra PAGE for the bitmap and checks to see that
the bitmap + attribute_length + ACLs don't exceed the buffer space
allocated to it.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Jian Li <jiali@redhat.com>
[Trond: Fixed a size_t vs unsigned int printk() warning]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Maxim Uvarov <maxim.uvarov@oracle.com>
Conflicts:
fs/nfs/nfs4proc.c

fs/nfs/nfs4proc.c		diff \| blob \| history
fs/nfs/nfs4xdr.c		diff \| blob \| history