Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 76bdaa16 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

staging: lustre: libcfs: double copy bug 



The problem is that we copy hdr.ioc_len, we verify it, then we copy it
again without checking to see if it has changed in between the two
copies.

This could result in an information leak.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent dcdf43a0

drivers/staging/lustre/lnet/libcfs/linux/linux-module.c

+13 −2
Original line number Diff line number Diff line
@@ -122,7 +122,7 @@ int libcfs_ioctl_getdata(struct libcfs_ioctl_hdr **hdr_pp, 
			 const struct libcfs_ioctl_hdr __user *uhdr)

{

	struct libcfs_ioctl_hdr hdr;

	int err = 0;

	int err;



	if (copy_from_user(&hdr, uhdr, sizeof(hdr)))

		return -EFAULT;
@@ -150,9 +150,20 @@ int libcfs_ioctl_getdata(struct libcfs_ioctl_hdr **hdr_pp, 
		return -ENOMEM;



	if (copy_from_user(*hdr_pp, uhdr, hdr.ioc_len)) {

		LIBCFS_FREE(*hdr_pp, hdr.ioc_len);

		err = -EFAULT;

		goto free;

	}



	if ((*hdr_pp)->ioc_version != hdr.ioc_version ||

	    (*hdr_pp)->ioc_len != hdr.ioc_len) {

		err = -EINVAL;

		goto free;

	}



	return 0;



free:

	LIBCFS_FREE(*hdr_pp, hdr.ioc_len);

	return err;

}