summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJann Horn <jann@thejh.net>2016-01-05 18:27:30 +0100
committerAl Viro <viro@zeniv.linux.org.uk>2016-01-08 21:18:13 -0500
commita7f61e89af73e9bf760826b20dba4e637221fcb9 (patch)
tree1a789dfbe2d49a18745416914e090425c44ae454 /security
parent66cf191f3eae4582a83cb4251b75b43bee95a999 (diff)
downloadlinux-a7f61e89af73e9bf760826b20dba4e637221fcb9.tar.bz2
compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
This replaces all code in fs/compat_ioctl.c that translated ioctl arguments into a in-kernel structure, then performed do_ioctl under set_fs(KERNEL_DS), with code that allocates data on the user stack and can call the VFS ioctl handler under USER_DS. This is done as a hardening measure because the caller does not know what kind of ioctl handler will be invoked, only that no corresponding compat_ioctl handler exists and what the ioctl command number is. The accidental invocation of an unlocked_ioctl handler that unexpectedly calls copy_to_user could be a severe security issue. Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions