Patch "NFSv4: Check for buffer length in __nfs4_get_acl_uncached" has been added to the 3.7-stable tree

Tue, 08 Jan 2013 12:22:25 -0800 

This is a note to let you know that I've just added the patch titled

    NFSv4: Check for buffer length in __nfs4_get_acl_uncached

to the 3.7-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsv4-check-for-buffer-length-in-__nfs4_get_acl_uncached.patch
and it can be found in the queue-3.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 7d3e91a89b7adbc2831334def9e494dd9892f9af Mon Sep 17 00:00:00 2001
From: Sven Wegener <[email protected]>
Date: Sat, 8 Dec 2012 15:30:18 +0100
Subject: NFSv4: Check for buffer length in __nfs4_get_acl_uncached

From: Sven Wegener <[email protected]>

commit 7d3e91a89b7adbc2831334def9e494dd9892f9af upstream.

Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in
__nfs4_get_acl_uncached" accidently dropped the checking for too small
result buffer length.

If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
supporting ACLs, the ACL has not been cached and the buffer suplied is
too short, we still copy the complete ACL, resulting in kernel and user
space memory corruption.

Signed-off-by: Sven Wegener <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 fs/nfs/nfs4proc.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3937,8 +3937,13 @@ static ssize_t __nfs4_get_acl_uncached(s
                goto out_free;
        }
        nfs4_write_cached_acl(inode, pages, res.acl_data_offset, res.acl_len);
-       if (buf)
+       if (buf) {
+               if (res.acl_len > buflen) {
+                       ret = -ERANGE;
+                       goto out_free;
+               }
                _copy_from_pages(buf, pages, res.acl_data_offset, res.acl_len);
+       }
 out_ok:
        ret = res.acl_len;
 out_free:


Patches currently in stable-queue which might be from [email protected] 
are

queue-3.7/nfsv4-check-for-buffer-length-in-__nfs4_get_acl_uncached.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to