Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b03a472 authored by Kees Cook's avatar Kees Cook Committed by Jan Kara
Browse files

fanotify: Make sure to check event_len when copying 

As a precaution, make sure we check event_len when copying to userspace.
Based on old feedback: https://lkml.kernel.org/r/542D9FE5.3010009@gmx.de



Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent d6f7aa98

fs/notify/fanotify/fanotify_user.c

+8 −2
Original line number Diff line number Diff line
@@ -206,7 +206,7 @@ static int process_access_response(struct fsnotify_group *group, 


static ssize_t copy_event_to_user(struct fsnotify_group *group,

				  struct fsnotify_event *event,

				  char __user *buf)

				  char __user *buf, size_t count)

{

	struct fanotify_event_metadata fanotify_event_metadata;

	struct file *f;
@@ -220,6 +220,12 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, 


	fd = fanotify_event_metadata.fd;

	ret = -EFAULT;

	/*

	 * Sanity check copy size in case get_one_event() and

	 * fill_event_metadata() event_len sizes ever get out of sync.

	 */

	if (WARN_ON_ONCE(fanotify_event_metadata.event_len > count))

		goto out_close_fd;

	if (copy_to_user(buf, &fanotify_event_metadata,

			 fanotify_event_metadata.event_len))

		goto out_close_fd;
@@ -295,7 +301,7 @@ static ssize_t fanotify_read(struct file *file, char __user *buf, 
			continue;

		}



		ret = copy_event_to_user(group, kevent, buf);

		ret = copy_event_to_user(group, kevent, buf, count);

		if (unlikely(ret == -EOPENSTALE)) {

			/*

			 * We cannot report events with stale fd so drop it.