diff options
author | David Windsor <dave@nullcore.net> | 2017-06-11 04:50:31 +0200 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2018-01-15 21:07:51 +0100 |
commit | 6391af6f5829e8767c6d5e777194c9ecdd5d7ead (patch) | |
tree | 4dd61723d47a6787476883d404d128436bd87b16 /fs/fhandle.c | |
parent | vfs: Define usercopy region in names_cache slab caches (diff) | |
download | linux-6391af6f5829e8767c6d5e777194c9ecdd5d7ead.tar.xz linux-6391af6f5829e8767c6d5e777194c9ecdd5d7ead.zip |
vfs: Copy struct mount.mnt_id to userspace using put_user()
The mnt_id field can be copied with put_user(), so there is no need to
use copy_to_user(). In both cases, hardened usercopy is being bypassed
since the size is constant, and not open to runtime manipulation.
This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@nullcore.net>
[kees: adjust commit log]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'fs/fhandle.c')
-rw-r--r-- | fs/fhandle.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/fhandle.c b/fs/fhandle.c index 0ace128f5d23..0ee727485615 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -69,8 +69,7 @@ static long do_sys_name_to_handle(struct path *path, } else retval = 0; /* copy the mount id */ - if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id, - sizeof(*mnt_id)) || + if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) || copy_to_user(ufh, handle, sizeof(struct file_handle) + handle_bytes)) retval = -EFAULT; |