redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/fs/cifs
History
Jeff Layton 5d81de8e86 cifs: ensure that uncached writes handle unmapped areas correctly 
It's possible for userland to pass down an iovec via writev() that has a
bogus user pointer in it. If that happens and we're doing an uncached
write, then we can end up getting less bytes than we expect from the
call to iov_iter_copy_from_user. This is CVE-2014-0069

cifs_iovec_write isn't set up to handle that situation however. It'll
blindly keep chugging through the page array and not filling those pages
with anything useful. Worse yet, we'll later end up with a negative
number in wdata->tailsz, which will confuse the sending routines and
cause an oops at the very least.

Fix this by having the copy phase of cifs_iovec_write stop copying data
in this situation and send the last write as a short one. At the same
time, we want to avoid sending a zero-length write to the server, so
break out of the loop and set rc to -EFAULT if that happens. This also
allows us to handle the case where no address in the iovec is valid.

[Note: Marking this for stable on v3.4+ kernels, but kernels as old as
       v2.6.38 may have a similar problem and may need similar fix]

Cc: <stable@vger.kernel.org> # v3.4+
Reviewed-by: Pavel Shilovsky <piastry@etersoft.ru>
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2014-02-14 16:46:15 -06:00
..
asn1.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cache.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_debug.c cifs: try to handle the MUST SecurityFlags sanely 2013-06-26 17:31:55 -05:00
cifs_debug.h [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_dfs_ref.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
cifs_fs_sb.h cifs: rcu-delay unload_nls() and freeing sbi 2013-10-24 23:43:27 -04:00
cifs_spnego.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_spnego.h [CIFS] Rename three structures to avoid camel case 2011-05-27 04:34:02 +00:00
cifs_unicode.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_unicode.h cifs: add new case-insensitive conversion routines that are based on wchar_t's 2013-09-08 14:38:05 -05:00
cifs_uniupr.h cifs: correction of unicode header files 2010-08-20 00:46:42 +00:00
cifsacl.c [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
cifsacl.h cifs: fix SID binary to string conversion 2012-12-11 11:48:49 -06:00
cifsencrypt.c cifs: Use data structures to compute NTLMv2 response offsets 2013-11-11 16:58:11 -06:00
cifsfs.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
cifsfs.h new helper: kfree_put_link() 2013-10-24 23:34:49 -04:00
cifsglob.h [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
cifspdu.h cifs: Use data structures to compute NTLMv2 response offsets 2013-11-11 16:58:11 -06:00
cifsproto.h [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
cifssmb.c [CIFS] clean up page array when uncached write send fails 2014-02-07 20:47:00 -06:00
connect.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
dir.c [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h DNS: Separate out CIFS DNS Resolver code 2010-08-05 17:17:51 +00:00
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c cifs: ensure that uncached writes handle unmapped areas correctly 2014-02-14 16:46:15 -06:00
fscache.c NFS client updates for Linux 3.13 2013-11-08 05:57:46 +09:00
fscache.h CIFS: FS-Cache: Uncache unread pages in cifs_readpages() before freeing them 2013-09-18 10:17:03 -05:00
inode.c [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
ioctl.c [CIFS] Do not use btrfs refcopy ioctl for SMB2 copy offload 2013-11-25 09:50:31 -06:00
Kconfig [CIFS] SMB3 Signing enablement 2013-06-26 23:45:05 -05:00
link.c cifs: Fix check for regular file in couldbe_mf_symlink() 2014-01-31 09:06:43 -06:00
Makefile cifs: add new case-insensitive conversion routines that are based on wchar_t's 2013-09-08 14:38:05 -05:00
misc.c cifs: Make big endian multiplex ID sequences monotonic on the wire 2013-11-02 12:51:53 -05:00
netmisc.c cifs: change ERRnomem error mapping from ENOMEM to EREMOTEIO 2013-11-11 16:33:25 -06:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h CIFS: Add session setup/logoff capability for SMB2 2012-07-24 21:54:57 +04:00
readdir.c cifs: Rename MF symlink function names 2014-01-20 00:13:54 -06:00
rfc1002pdu.h [CIFS] whitespace cleanup 2007-06-05 18:30:44 +00:00
sess.c cifs: Allow LANMAN auth method for servers supporting unencapsulated authentication methods 2013-10-07 09:57:11 -05:00
smb1ops.c [CIFS] Fix cifsacl mounts over smb2 to not call cifs 2014-02-10 14:08:16 -06:00
smb2file.c CIFS: Store lease state itself rather than a mapped oplock value 2013-09-09 22:52:05 -05:00
smb2glob.h [CIFS] SMB3 Signing enablement 2013-06-26 23:45:05 -05:00
smb2inode.c CIFS: Fix symbolic links usage 2013-11-11 16:31:03 -06:00
smb2maperror.c cifs: change ERRnomem error mapping from ENOMEM to EREMOTEIO 2013-11-11 16:33:25 -06:00
smb2misc.c CIFS: Respect epoch value from create lease context v2 2013-09-09 22:52:18 -05:00
smb2ops.c Check SMB3 dialects against downgrade attacks 2013-11-19 23:52:54 -06:00
smb2pdu.c [CIFS] clean up page array when uncached write send fails 2014-02-07 20:47:00 -06:00
smb2pdu.h Check SMB3 dialects against downgrade attacks 2013-11-19 23:52:54 -06:00
smb2proto.h [CIFS] clean up page array when uncached write send fails 2014-02-07 20:47:00 -06:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c cifs: Send a logoff request before removing a smb session 2013-11-02 12:52:35 -05:00
smbencrypt.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
smberr.h cifs: map NT_STATUS_ERROR_WRITE_PROTECTED to -EROFS 2010-08-02 12:40:40 +00:00
smbfsctl.h Check SMB3 dialects against downgrade attacks 2013-11-19 23:52:54 -06:00
transport.c cifs: Send a logoff request before removing a smb session 2013-11-02 12:52:35 -05:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c retrieving CIFS ACLs when mounted with SMB2 fails dropping session 2014-02-07 11:08:17 -06:00