Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
fs/fuse: fix ioctl type confusion
fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
leading to a type confusion issue. Fix it by checking file->f_op.
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
authored by
Jann Horn
and committed by
Linus Torvalds
8ed1f0e2
1efdb5f0
+9
-1
+9
-1
fs/fuse/dev.c
+9
-1
fs/fuse/dev.c
···
2246
2246
2247
2247
err = -EINVAL;
2248
2248
if (old) {
2249
-
struct fuse_dev *fud = fuse_get_dev(old);
2249
+
struct fuse_dev *fud = NULL;
2250
+
2251
+
/*
2252
+
* Check against file->f_op because CUSE
2253
+
* uses the same ioctl handler.
2254
+
*/
2255
+
if (old->f_op == file->f_op &&
2256
+
old->f_cred->user_ns == file->f_cred->user_ns)
2257
+
fud = fuse_get_dev(old);
2250
2258
2251
2259
if (fud) {
2252
2260
mutex_lock(&fuse_mutex);