summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorJann Horn <jann@thejh.net>2015-09-11 21:39:33 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2016-07-16 06:30:06 +0900
commit3e0a396546450536679ae4d3bd70290ce0b0c79c (patch)
tree1de0a003e5f230a2f5dfd63dfa837488ef8a728a /fs
parentaa93d1fee85c890a34f2510a310e55ee76a27848 (diff)
xfs: fix type confusion in xfs_ioc_swapext
Without this check, the following XFS_I invocations would return bad pointers when used on non-XFS inodes (perhaps pointers into preceding allocator chunks). This could be used by an attacker to trick xfs_swap_extents into performing locking operations on attacker-chosen structures in kernel memory, potentially leading to code execution in the kernel. (I have not investigated how likely this is to be usable for an attack in practice.) Signed-off-by: Jann Horn <jann@thejh.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Dave Chinner <david@fromorbit.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/xfs/xfs_ioctl.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index dbca7375deef..63a6ff2cfc68 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1575,6 +1575,12 @@ xfs_ioc_swapext(
goto out_put_tmp_file;
}
+ if (f.file->f_op != &xfs_file_operations ||
+ tmp.file->f_op != &xfs_file_operations) {
+ error = -EINVAL;
+ goto out_put_tmp_file;
+ }
+
ip = XFS_I(file_inode(f.file));
tip = XFS_I(file_inode(tmp.file));