diff options
| author | David Windsor | 2017-06-11 04:50:31 +0200 |
|---|---|---|
| committer | Kees Cook | 2018-01-15 21:07:51 +0100 |
| commit | 6391af6f5829e8767c6d5e777194c9ecdd5d7ead (patch) | |
| tree | 4dd61723d47a6787476883d404d128436bd87b16 | |
| parent | vfs: Define usercopy region in names_cache slab caches (diff) | |
| download | kernel-qcow2-linux-6391af6f5829e8767c6d5e777194c9ecdd5d7ead.tar.gz kernel-qcow2-linux-6391af6f5829e8767c6d5e777194c9ecdd5d7ead.tar.xz kernel-qcow2-linux-6391af6f5829e8767c6d5e777194c9ecdd5d7ead.zip | |
vfs: Copy struct mount.mnt_id to userspace using put_user()
The mnt_id field can be copied with put_user(), so there is no need to
use copy_to_user(). In both cases, hardened usercopy is being bypassed
since the size is constant, and not open to runtime manipulation.
This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@nullcore.net>
[kees: adjust commit log]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | fs/fhandle.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/fhandle.c b/fs/fhandle.c index 0ace128f5d23..0ee727485615 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -69,8 +69,7 @@ static long do_sys_name_to_handle(struct path *path, } else retval = 0; /* copy the mount id */ - if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id, - sizeof(*mnt_id)) || + if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) || copy_to_user(ufh, handle, sizeof(struct file_handle) + handle_bytes)) retval = -EFAULT; |