releases/4.7.1/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl.patch

   1 From 10eec60ce79187686e052092e5383c99b4420a20 Mon Sep 17 00:00:00 2001
   2 From: Scott Bauer <sbauer@plzdonthack.me>
   3 Date: Wed, 27 Jul 2016 19:11:29 -0600
   4 Subject: vfs: ioctl: prevent double-fetch in dedupe ioctl
   5
   6 From: Scott Bauer <sbauer@plzdonthack.me>
   7
   8 commit 10eec60ce79187686e052092e5383c99b4420a20 upstream.
   9
  10 This prevents a double-fetch from user space that can lead to to an
  11 undersized allocation and heap overflow.
  12
  13 Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
  14 Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
  15 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  16 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17
  18 ---
  19  fs/ioctl.c |    1 +
  20  1 file changed, 1 insertion(+)
  21
  22 --- a/fs/ioctl.c
  23 +++ b/fs/ioctl.c
  24 @@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru
  25                 goto out;
  26         }
  27
  28 +       same->dest_count = count;
  29         ret = vfs_dedupe_file_range(file, same);
  30         if (ret)
  31                 goto out;