From patchwork Thu May 31 16:28:42 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3/3, CVE-2012-2375, ONEIRIC, NATTY] Fix length of buffer copied in __nfs4_get_acl_uncached Date: Thu, 31 May 2012 06:28:42 -0000 From: Brad Figg X-Patchwork-Id: 162185 Message-Id: <1338481722-3750-4-git-send-email-brad.figg@canonical.com> To: kernel-team@lists.ubuntu.com From: Sachin Prabhu CVE-2012-2375 _copy_from_pages() used to copy data from the temporary buffer to the user passed buffer is passed the wrong size parameter when copying data. res.acl_len contains both the bitmap and acl lenghts while acl_len contains the acl length after adjusting for the bitmap size. Signed-off-by: Sachin Prabhu Signed-off-by: Trond Myklebust Signed-off-by: Brad Figg (cherry picked from commit 20e0fa98b751facf9a1101edaefbc19c82616a68) --- fs/nfs/nfs4proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 2f8f3bb..ec8acdb 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -3609,7 +3609,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu if (acl_len > buflen) goto out_free; _copy_from_pages(buf, pages, res.acl_data_offset, - res.acl_len); + acl_len); } ret = acl_len; out_free: