| Message ID | 1366201481-12482-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 04/17/2013 06:24 AM, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2012-6549 > > BugLink: http://bugs.launchpad.net/bugs/1156774 > > For type 1 the parent_offset member in struct isofs_fid gets copied > uninitialized to userland. Fix this by initializing it to 0. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: Jan Kara <jack@suse.cz> > (cherry picked from commit fe685aabf7c8c9f138e5ea900954d295bf229175) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > fs/isofs/export.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/isofs/export.c b/fs/isofs/export.c > index e81a305..caec670 100644 > --- a/fs/isofs/export.c > +++ b/fs/isofs/export.c > @@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry, > len = 3; > fh32[0] = ei->i_iget5_block; > fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ > + fh16[3] = 0; /* avoid leaking uninitialized data */ > fh32[2] = inode->i_generation; > if (connectable && !S_ISDIR(inode->i_mode)) { > struct inode *parent; >
On 17/04/13 13:24, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2012-6549 > > BugLink: http://bugs.launchpad.net/bugs/1156774 > > For type 1 the parent_offset member in struct isofs_fid gets copied > uninitialized to userland. Fix this by initializing it to 0. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: Jan Kara <jack@suse.cz> > (cherry picked from commit fe685aabf7c8c9f138e5ea900954d295bf229175) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > fs/isofs/export.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/isofs/export.c b/fs/isofs/export.c > index e81a305..caec670 100644 > --- a/fs/isofs/export.c > +++ b/fs/isofs/export.c > @@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry, > len = 3; > fh32[0] = ei->i_iget5_block; > fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ > + fh16[3] = 0; /* avoid leaking uninitialized data */ > fh32[2] = inode->i_generation; > if (connectable && !S_ISDIR(inode->i_mode)) { > struct inode *parent; > Clean cherry pick, looks good to me. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/fs/isofs/export.c b/fs/isofs/export.c index e81a305..caec670 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry, len = 3; fh32[0] = ei->i_iget5_block; fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ + fh16[3] = 0; /* avoid leaking uninitialized data */ fh32[2] = inode->i_generation; if (connectable && !S_ISDIR(inode->i_mode)) { struct inode *parent;