diff options
| author | Jann Horn <jann@thejh.net> | 2016-01-05 18:27:30 +0100 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2016-01-08 21:18:13 -0500 |
| commit | a7f61e89af73e9bf760826b20dba4e637221fcb9 (patch) | |
| tree | 1a789dfbe2d49a18745416914e090425c44ae454 /security | |
| parent | 66cf191f3eae4582a83cb4251b75b43bee95a999 (diff) | |
| download | linux-a7f61e89af73e9bf760826b20dba4e637221fcb9.tar.bz2 | |
compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
This replaces all code in fs/compat_ioctl.c that translated
ioctl arguments into a in-kernel structure, then performed
do_ioctl under set_fs(KERNEL_DS), with code that allocates
data on the user stack and can call the VFS ioctl handler
under USER_DS.
This is done as a hardening measure because the caller
does not know what kind of ioctl handler will be invoked,
only that no corresponding compat_ioctl handler exists and
what the ioctl command number is. The accidental
invocation of an unlocked_ioctl handler that unexpectedly
calls copy_to_user could be a severe security issue.
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions