Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 2ebc3464781ad24474abcbd2274e6254689853b5
commit2ebc3464781ad24474abcbd2274e6254689853b5[log] [tgz]
authorDan Rosenberg <dan.j.rosenberg@gmail.com>Mon Jul 19 16:58:20 2010 -0400
committerChris Mason <chris.mason@oracle.com>Mon Jul 19 16:58:20 2010 -0400
tree3d58dfcc14948672c0aac1636cdd57cbe46a135d
parentb5384d48f4e74edec3ca1887cb65e378a72af9a1 [diff]
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE

1.  The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.

2.  The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around).  I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't.  Even if it's not
exploitable, it couldn't hurt to be safe.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
cc: stable@kernel.org
Signed-off-by: Chris Mason <chris.mason@oracle.com>
1 file changed
tree: 3d58dfcc14948672c0aac1636cdd57cbe46a135d
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS