Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'usercopy-fix-v4.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull usercopy whitelisting fix from Kees Cook:
"Bart Massey discovered that the usercopy whitelist for JFS was
incomplete: the inline inode data may intentionally "overflow" into
the neighboring "extended area", so the size of the whitelist needed
to be raised to include the neighboring field"
* tag 'usercopy-fix-v4.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
jfs: Fix usercopy whitelist for inline inode data
+9
-2
+7
fs/jfs/jfs_dinode.h
+7
fs/jfs/jfs_dinode.h
···
115
115
dxd_t _dxd; /* 16: */
116
116
union {
117
117
__le32 _rdev; /* 4: */
118
+
/*
119
+
* The fast symlink area
120
+
* is expected to overflow
121
+
* into _inlineea when
122
+
* needed (which will clear
123
+
* INLINEEA).
124
+
*/
118
125
u8 _fastsymlink[128];
119
126
} _u;
120
127
u8 _inlineea[128];
+1
fs/jfs/jfs_incore.h
+1
fs/jfs/jfs_incore.h
+1
-2
fs/jfs/super.c
+1
-2
fs/jfs/super.c
···
967
967
jfs_inode_cachep =
968
968
kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info),
969
969
0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,
970
-
offsetof(struct jfs_inode_info, i_inline),
971
-
sizeof_field(struct jfs_inode_info, i_inline),
970
+
offsetof(struct jfs_inode_info, i_inline), IDATASIZE,
972
971
init_once);
973
972
if (jfs_inode_cachep == NULL)
974
973
return -ENOMEM;