android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_kernel_samsung_sm8650/fs
History
Artem Bityutskiy 605c912bb8 UBIFS: fix a horrid bug 
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.

This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.

This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.

I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.

Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-06-29 12:45:37 +04:00
..
9p
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
adfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
affs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
afs
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
autofs4
autofs - remove autofs dentry mount check
2013-05-06 13:06:59 -07:00
befs
befs_readdir(): do not increment ->f_pos if filldir tells us to stop
2013-05-31 15:17:56 -04:00
bfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
btrfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
2013-06-13 22:34:14 -07:00
cachefiles
lift sb_start_write() out of ->write()
2013-04-09 14:12:56 -04:00
ceph
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
2013-06-12 08:28:19 -07:00
cifs
cifs: fix off-by-one bug in build_unc_path_to_root
2013-05-31 16:23:35 -05:00
coda
lift sb_start_write() out of ->write()
2013-04-09 14:12:56 -04:00
configfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
cramfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
debugfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
devpts
fs: Limit sys_mount to only request filesystem modules (Part 2).
2013-03-07 01:08:55 -08:00
dlm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2013-05-01 14:08:52 -07:00
ecryptfs
eCryptfs: Check return of filemap_write_and_wait during fsync
2013-06-04 23:53:31 -07:00
efivarfs
efivarfs: Never return ENOENT from firmware again
2013-05-13 20:12:10 +01:00
efs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
exofs
block: Add bio_for_each_segment_all()
2013-03-23 14:26:28 -07:00
exportfs
hlist: drop the node parameter from iterators
2013-02-27 19:10:24 -08:00
ext2
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
ext3
Merge branch 'akpm' (incoming from Andrew)
2013-05-07 20:49:51 -07:00
ext4
Fixed regressions (two stability regressions and a performance
2013-05-14 09:30:54 -07:00
f2fs
f2fs updates for v3.10
2013-05-08 15:11:48 -07:00
fat
fat: fix possible overflow for fat_clusters
2013-05-24 16:22:50 -07:00
freevxfs
fs: Readd the fs module aliases.
2013-03-12 18:55:21 -07:00
fscache
fs/fscache/stats.c: fix memory leak
2013-04-29 15:54:27 -07:00
fuse
fuse: fix alignment in short read optimization for async_dio
2013-06-03 15:15:42 +02:00
gfs2
GFS2: Don't cache iopen glocks
2013-06-03 16:40:22 +01:00
hfs
hfs: avoid crash in hfs_bnode_create
2013-05-24 16:22:51 -07:00
hfsplus
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
hostfs
hostfs: use kmalloc instead of kzalloc
2013-05-04 15:48:45 -04:00
hpfs
hpfs: fix warnings when the filesystem fills up
2013-06-08 17:39:40 -07:00
hppfs
hppfs: get rid of ->fsync()
2013-04-29 15:41:42 -04:00
hugetlbfs
hugetlbfs: fix mmap failure in unaligned size request
2013-05-07 18:38:27 -07:00
isofs
fs: Readd the fs module aliases.
2013-03-12 18:55:21 -07:00
jbd
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2013-05-03 09:56:25 -07:00
jbd2
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
jffs2
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
jfs
fs/jfs: Add check if journaling to disk has been disabled in lbmRead()
2013-05-24 16:03:47 -05:00
lockd
LOCKD: Ensure that nlmclnt_block resets block->b_status after a server reboot
2013-04-21 18:08:42 -04:00
logfs
block: Remove bi_idx references
2013-03-23 14:15:31 -07:00
minix
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
ncpfs
ncpfs: fix rmdir returns Device or resource busy
2013-06-07 12:15:38 -04:00
nfs
NFS: Fix security flavor negotiation with legacy binary mounts
2013-05-30 16:31:34 -04:00
nfs_common
nfs_common: Update the translation between nfsv3 acls linux posix acls
2013-02-13 06:15:14 -08:00
nfsd
Merge branch 'for-3.10' of git://linux-nfs.org/~bfields/linux
2013-05-10 09:28:55 -07:00
nilfs2
nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary
2013-05-24 16:22:52 -07:00
nls
notify
unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE
2013-05-09 13:46:38 -04:00
ntfs
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
ocfs2
ocfs2: add missing lockres put in dlm_mig_lockres_handler
2013-06-12 16:29:46 -07:00
omfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
openpromfs
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
proc
kmsg: honor dmesg_restrict sysctl on /dev/kmsg
2013-06-12 16:29:44 -07:00
pstore
Couple of pstore cleanups
2013-05-09 16:42:10 -07:00
qnx4
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
qnx6
qnx6: qnx6_readdir() has a braino in pos calculation
2013-05-31 15:17:31 -04:00
quota
quota: add missing use of dq_data_lock in __dquot_initialize
2013-03-11 22:05:56 +01:00
ramfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-02-26 20:16:07 -08:00
reiserfs
reiserfs: fix deadlock with nfs racing on create/lookup
2013-05-31 23:14:20 +02:00
romfs
romfs: fix nommu map length to keep inside filesystem
2013-04-29 09:17:57 +10:00
squashfs
fs: Limit sys_mount to only request filesystem modules. (Part 3)
2013-03-11 07:09:48 -07:00
sysfs
sysfs: check if one entry has been removed before freeing
2013-04-05 15:35:52 -07:00
sysv
fs: Readd the fs module aliases.
2013-03-12 18:55:21 -07:00
ubifs
UBIFS: fix a horrid bug
2013-06-29 12:45:37 +04:00
udf
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
ufs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial
2013-04-30 09:36:50 -07:00
xfs
xfs: don't shutdown log recovery on validation errors
2013-06-14 15:59:45 -05:00
aio.c
aio: fix io_destroy() regression by using call_rcu()
2013-06-12 16:29:46 -07:00
anon_inodes.c
get_empty_filp()/alloc_file() leave both ->f_pos and ->f_version zero
2013-02-26 02:46:11 -05:00
attr.c
userns: Allow chown and setgid preservation
2012-11-20 04:17:24 -08:00
bad_inode.c
lseek: the "whence" argument is called "whence"
2012-12-17 17:15:12 -08:00
binfmt_aout.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
binfmt_elf_fdpic.c
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
2013-05-02 10:16:16 -07:00
binfmt_elf.c
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
2013-05-02 10:16:16 -07:00
binfmt_em86.c
exec: use -ELOOP for max recursion depth
2012-12-17 17:15:23 -08:00
binfmt_flat.c
new helper: read_code()
2013-04-29 15:40:23 -04:00
binfmt_misc.c
binfmt_misc: reuse string_unescape_inplace()
2013-04-30 17:04:03 -07:00
binfmt_script.c
exec: do not leave bprm->interp on stack
2012-12-20 17:40:19 -08:00
binfmt_som.c
get rid of pt_regs argument of ->load_binary()
2012-11-28 21:53:38 -05:00
bio-integrity.c
bio-integrity: Add explicit field for owner of bip_buf
2013-03-23 14:26:34 -07:00
bio.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
block_dev.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
buffer.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
char_dev.c
char_dev: pin parent kobject
2012-10-22 08:50:37 +03:00
compat_binfmt_elf.c
coredump: extend core dump note section to contain file names of mapped files
2012-10-06 03:05:17 +09:00
compat_ioctl.c
Removed unused typedef to avoid "unused local typedef" warnings.
2013-05-04 15:03:05 -04:00
compat.c
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
coredump.c
do_coredump(): don't wait for thaw if coredump has already been interrupted
2013-05-04 14:45:54 -04:00
coredump.h
coredump: update coredump-related headers
2012-10-06 03:05:15 +09:00
dcache.c
vfs: use list_move instead of list_del/list_add
2013-05-04 15:43:02 -04:00
dcookies.c
consolidate compat lookup_dcookie()
2013-03-03 23:00:23 -05:00
direct-io.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
drop_caches.c
eventfd.c
fs, eventfd: add procfs fdinfo helper
2012-12-17 17:15:27 -08:00
eventpoll.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/signal
2013-05-01 07:21:43 -07:00
exec.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
fcntl.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
fhandle.c
Merge branch 'for-3.8' of git://linux-nfs.org/~bfields/linux
2012-12-20 14:04:11 -08:00
file_table.c
fput: task_work_add() can fail if the caller has passed exit_task_work()
2013-06-15 05:39:08 +04:00
file.c
don't bother with deferred freeing of fdtables
2013-05-01 17:31:42 -04:00
filesystems.c
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
fs_struct.c
constify path_get/path_put and fs_struct.c stuff
2013-03-01 23:51:07 -05:00
fs-writeback.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
generic_acl.c
userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr
2012-09-18 01:01:35 -07:00
inode.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
internal.h
splice: don't pass the address of ->f_pos to methods
2013-06-20 19:02:45 +04:00
ioctl.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
ioprio.c
Kconfig
efivarfs: Move to fs/efivarfs
2013-04-17 13:25:09 +01:00
Kconfig.binfmt
fs: make binfmt support for #! scripts modular and removable
2013-04-30 17:04:04 -07:00
libfs.c
vfs: drop vmtruncate
2012-12-20 18:46:29 -05:00
locks.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
Makefile
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
mbcache.c
mount.h
get rid of full-hash scan on detaching vfsmounts
2013-04-09 14:12:52 -04:00
mpage.c
namei.c
use can_lookup() instead of direct checks of ->i_op->lookup
2013-06-15 05:41:45 +04:00
namespace.c
create_mnt_ns: unidiomatic use of list_add()
2013-05-04 15:18:53 -04:00
no-block.c
open.c
make SYSCALL_DEFINE<n>-generated wrappers do asmlinkage_protect
2013-03-03 22:58:33 -05:00
pipe.c
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
pnode.c
vfs: Fix invalid ida_remove() call
2013-05-31 15:16:33 -04:00
pnode.h
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
posix_acl.c
userns: Convert vfs posix_acl support to use kuids and kgids
2012-09-18 01:01:35 -07:00
proc_namespace.c
get rid of magic in proc_namespace.c
2012-07-14 16:32:48 +04:00
read_write.c
splice: don't pass the address of ->f_pos to methods
2013-06-20 19:02:45 +04:00
readdir.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
select.c
sched/rt: Move rt specific bits into new header file
2013-02-07 20:51:08 +01:00
seq_file.c
new helper: single_open_size()
2013-04-09 14:13:29 -04:00
signalfd.c
switch signalfd{,4}() to COMPAT_SYSCALL_DEFINE
2013-03-03 22:58:46 -05:00
splice.c
splice: don't pass the address of ->f_pos to methods
2013-06-20 19:02:45 +04:00
stack.c
stat.c
switch vfs_getattr() to struct path
2013-02-26 02:46:08 -05:00
statfs.c
vfs: fix user_statfs to retry once on ESTALE errors
2012-12-20 18:50:07 -05:00
super.c
hlist: drop the node parameter from iterators
2013-02-27 19:10:24 -08:00
sync.c
teach SYSCALL_DEFINE<n> how to deal with long long/unsigned long long
2013-03-03 22:46:22 -05:00
timerfd.c
compat: restore timerfd settime and gettime compat syscalls
2013-03-02 09:35:13 -05:00
utimes.c
vfs: allow utimensat() calls to retry once on an ESTALE error
2012-12-20 18:50:08 -05:00
xattr_acl.c
userns: Fix posix_acl_file_xattr_userns gid conversion
2012-10-12 13:16:48 -07:00
xattr.c
vfs: make lremovexattr retry once on ESTALE error
2012-12-20 18:50:11 -05:00