--- /dev/null
+From d337b66a4c52c7b04eec661d86c2ef6e168965a2 Mon Sep 17 00:00:00 2001
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+Date: Wed, 27 Sep 2017 15:52:12 -0400
+Subject: coda: fix 'kernel memory exposure attempt' in fsync
+
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+
+commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.
+
+When an application called fsync on a file in Coda a small request with
+just the file identifier was allocated, but the declared length was set
+to the size of union of all possible upcall requests.
+
+This bug has been around for a very long time and is now caught by the
+extra checking in usercopy that was introduced in Linux-4.8.
+
+The exposure happens when the Coda cache manager process reads the fsync
+upcall request at which point it is killed. As a result there is nobody
+servicing any further upcalls, trapping any processes that try to access
+the mounted Coda filesystem.
+
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coda/upcall.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/coda/upcall.c
++++ b/fs/coda/upcall.c
+@@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb,
+ UPARG(CODA_FSYNC);
+
+ inp->coda_fsync.VFid = *fid;
+- error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
+- &outsize, inp);
++ error = coda_upcall(coda_vcp(sb), insize, &outsize, inp);
+
+ CODA_FREE(inp, insize);
+ return error;
projects / thirdparty / kernel / stable-queue.git / commitdiff
