From: Jann Horn Date: Fri, 11 Sep 2015 19:39:33 +0000 (+0200) Subject: xfs: fix type confusion in xfs_ioc_swapext X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3e0a396546450536679ae4d3bd70290ce0b0c79c;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git xfs: fix type confusion in xfs_ioc_swapext Without this check, the following XFS_I invocations would return bad pointers when used on non-XFS inodes (perhaps pointers into preceding allocator chunks). This could be used by an attacker to trick xfs_swap_extents into performing locking operations on attacker-chosen structures in kernel memory, potentially leading to code execution in the kernel. (I have not investigated how likely this is to be usable for an attack in practice.) Signed-off-by: Jann Horn Cc: Andy Lutomirski Cc: Dave Chinner Signed-off-by: Linus Torvalds --- diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index dbca7375deef..63a6ff2cfc68 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1575,6 +1575,12 @@ xfs_ioc_swapext( goto out_put_tmp_file; } + if (f.file->f_op != &xfs_file_operations || + tmp.file->f_op != &xfs_file_operations) { + error = -EINVAL; + goto out_put_tmp_file; + } + ip = XFS_I(file_inode(f.file)); tip = XFS_I(file_inode(tmp.file));