aboutsummaryrefslogtreecommitdiff
path: root/fs/jfs/jfs_incore.h
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2018-08-03 12:52:58 -0700
committerKees Cook <keescook@chromium.org>2018-08-04 07:53:46 -0700
commit961b33c244e5ba1543ae26270a1ba29f29c2db83 (patch)
treeb2e0bdb72b4e43774aa1264c9bf9f3df1e8cb2d8 /fs/jfs/jfs_incore.h
parent7daf201d7fe8334e2d2364d4e8ed3394ec9af819 (diff)
download96b-common-961b33c244e5ba1543ae26270a1ba29f29c2db83.tar.gz
jfs: Fix usercopy whitelist for inline inode data
Bart Massey reported what turned out to be a usercopy whitelist false positive in JFS when symlink contents exceeded 128 bytes. The inline inode data (i_inline) is actually designed to overflow into the "extended area" following it (i_inline_ea) when needed. So the whitelist needed to be expanded to include both i_inline and i_inline_ea (the whole size of which is calculated internally using IDATASIZE, 256, instead of sizeof(i_inline), 128). $ cd /mnt/jfs $ touch $(perl -e 'print "B" x 250') $ ln -s B* b $ ls -l >/dev/null [ 249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)! Reported-by: Bart Massey <bart.massey@gmail.com> Fixes: 8d2704d382a9 ("jfs: Define usercopy region in jfs_ip slab cache") Cc: Dave Kleikamp <shaggy@kernel.org> Cc: jfs-discussion@lists.sourceforge.net Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'fs/jfs/jfs_incore.h')
-rw-r--r--fs/jfs/jfs_incore.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h
index 1f26d1910409..9940a1e04cbf 100644
--- a/fs/jfs/jfs_incore.h
+++ b/fs/jfs/jfs_incore.h
@@ -87,6 +87,7 @@ struct jfs_inode_info {
struct {
unchar _unused[16]; /* 16: */
dxd_t _dxd; /* 16: */
+ /* _inline may overflow into _inline_ea when needed */
unchar _inline[128]; /* 128: inline symlink */
/* _inline_ea may overlay the last part of
* file._xtroot if maxentry = XTROOTINITSLOT