Patchwork [3/3,CVE-2012-2375,ONEIRIC,NATTY] Fix length of buffer copied in __nfs4_get_acl_uncached

mail settings
Submitter Brad Figg
Date May 31, 2012, 4:28 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/162185/
State New
Headers show


Brad Figg - May 31, 2012, 4:28 p.m.
From: Sachin Prabhu <>


_copy_from_pages() used to copy data from the temporary buffer to the
user passed buffer is passed the wrong size parameter when copying
data. res.acl_len contains both the bitmap and acl lenghts while
acl_len contains the acl length after adjusting for the bitmap size.

Signed-off-by: Sachin Prabhu <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Brad Figg <>
(cherry picked from commit 20e0fa98b751facf9a1101edaefbc19c82616a68)
 fs/nfs/nfs4proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 2f8f3bb..ec8acdb 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3609,7 +3609,7 @@  static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
 		if (acl_len > buflen)
 			goto out_free;
 		_copy_from_pages(buf, pages, res.acl_data_offset,
-				res.acl_len);
+				acl_len);
 	ret = acl_len;