xfs: fix over-copying of getbmap parameters from userspace
authorDarrick J. Wong <darrick.wong@oracle.com>
Mon, 3 Apr 2017 22:17:57 +0000 (15:17 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 7 Jun 2017 10:06:02 +0000 (12:06 +0200)
commit be6324c00c4d1e0e665f03ed1fc18863a88da119 upstream.

In xfs_ioc_getbmap, we should only copy the fields of struct getbmap
from userspace, or else we end up copying random stack contents into the
kernel.  struct getbmap is a strict subset of getbmapx, so a partial
structure copy should work fine.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/xfs/xfs_ioctl.c

index d42738deec6de6128b1a4b0784c45b5447848d02..08479daa6781d23365868363baabe4feb53e7652 100644 (file)
@@ -1379,10 +1379,11 @@ xfs_ioc_getbmap(
        unsigned int            cmd,
        void                    __user *arg)
 {
-       struct getbmapx         bmx;
+       struct getbmapx         bmx = { 0 };
        int                     error;
 
-       if (copy_from_user(&bmx, arg, sizeof(struct getbmapx)))
+       /* struct getbmap is a strict subset of struct getbmapx. */
+       if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags)))
                return -EFAULT;
 
        if (bmx.bmv_count < 2)