ANDROID: sdcardfs: Change current->fs under lock
bug: 111641492
Change-Id: I79e9894f94880048edaf0f7cfa2d180f65cbcf3b
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Rosenberg <drosen@google.com>
CVE-2018-9515
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
diff --git a/fs/sdcardfs/inode.c b/fs/sdcardfs/inode.c
index 53f6c89..6f17153 100644
--- a/fs/sdcardfs/inode.c
+++ b/fs/sdcardfs/inode.c
@@ -99,8 +99,11 @@
err = -ENOMEM;
goto out_unlock;
}
+ copied_fs->umask = 0;
+ task_lock(current);
current->fs = copied_fs;
- current->fs->umask = 0;
+ task_unlock(current);
+
err = vfs_create2(lower_dentry_mnt, lower_parent_dentry->d_inode, lower_dentry, mode, nd);
if (err)
goto out;
@@ -115,7 +118,9 @@
out:
mnt_drop_write(lower_path.mnt);
+ task_lock(current);
current->fs = saved_fs;
+ task_unlock(current);
free_fs_struct(copied_fs);
out_unlock:
unlock_dir(lower_parent_dentry);
@@ -339,8 +344,11 @@
unlock_dir(lower_parent_dentry);
goto out_unlock;
}
+ copied_fs->umask = 0;
+ task_lock(current);
current->fs = copied_fs;
- current->fs->umask = 0;
+ task_unlock(current);
+
err = vfs_mkdir2(lower_mnt, lower_parent_dentry->d_inode, lower_dentry, mode);
if (err) {
@@ -401,7 +409,10 @@
}
out:
mnt_drop_write(lower_path.mnt);
+ task_lock(current);
current->fs = saved_fs;
+ task_unlock(current);
+
free_fs_struct(copied_fs);
out_unlock:
sdcardfs_put_lower_path(dentry, &lower_path);