aha/fs
Eric Sandeen be6aab0e9f [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
CVE-2006-5753 is for a case where an inode can be marked bad, switching
the ops to bad_inode_ops, which are all connected as:

static int return_EIO(void)
{
        return -EIO;
}

#define EIO_ERROR ((void *) (return_EIO))

static struct inode_operations bad_inode_ops =
{
        .create         = bad_inode_create
...etc...

The problem here is that the void cast causes return types to not be
promoted, and for ops such as listxattr which expect more than 32 bits of
return value, the 32-bit -EIO is interpreted as a large positive 64-bit
number, i.e. 0x00000000fffffffa instead of 0xfffffffa.

This goes particularly badly when the return value is taken as a number of
bytes to copy into, say, a user's buffer for example...

I originally had coded up the fix by creating a return_EIO_<TYPE> macro
for each return type, like this:

static int return_EIO_int(void)
{
	return -EIO;
}
#define EIO_ERROR_INT ((void *) (return_EIO_int))

static struct inode_operations bad_inode_ops =
{
	.create		= EIO_ERROR_INT,
...etc...

but Al felt that it was probably better to create an EIO-returner for each
actual op signature.  Since so few ops share a signature, I just went ahead
& created an EIO function for each individual file & inode op that returns
a value.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2007-01-05 23:55:23 -08:00
..
9p [PATCH] 9p: change uses of f_{dentry,vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
adfs [PATCH] adfs: fix filename handling 2007-01-05 23:55:22 -08:00
affs [PATCH] affs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
afs [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
autofs [PATCH] autofs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
autofs4 [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
befs [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
bfs [PATCH] update Tigran's email addresses 2006-12-13 09:05:53 -08:00
cifs Fix up CIFS for "test_clear_page_dirty()" removal 2006-12-23 16:19:07 -08:00
coda [PATCH] struct path: convert coda 2006-12-08 08:28:44 -08:00
configfs [PATCH] configfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
cramfs [PATCH] struct path: convert cramfs 2006-12-08 08:28:44 -08:00
debugfs DebugFS : file/directory removal fix 2006-12-13 15:38:45 -08:00
devpts
dlm [DLM] fix compile warning 2006-12-15 12:51:22 -05:00
ecryptfs [PATCH] ecryptfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
efs [PATCH] struct path: convert efs 2006-12-08 08:28:45 -08:00
exportfs [PATCH] VFS: Make filldir_t and struct kstat deal in 64-bit inode numbers 2006-10-03 08:03:40 -07:00
ext2 [PATCH] LOG2: Implement a general integer log2 facility in the kernel 2006-12-08 08:28:51 -08:00
ext3 [PATCH] LOG2: Implement a general integer log2 facility in the kernel 2006-12-08 08:28:51 -08:00
ext4 [PATCH] ext4: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
fat [PATCH] fat: change uses of f_{dentry,vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
freevxfs [PATCH] struct path: convert freevxfs 2006-12-08 08:28:45 -08:00
fuse [PATCH] fuse: remove clear_page_dirty() call 2006-12-21 09:25:08 -08:00
gfs2 [GFS2] Fix Kconfig 2006-12-15 12:51:51 -05:00
hfs [PATCH] struct path: convert hfs 2006-12-08 08:28:45 -08:00
hfsplus [PATCH] struct path: convert hfsplus 2006-12-08 08:28:45 -08:00
hostfs [PATCH] struct path: convert hostfs 2006-12-08 08:28:45 -08:00
hpfs [PATCH] struct path: convert hpfs 2006-12-08 08:28:45 -08:00
hppfs [PATCH] struct path: convert hppfs 2006-12-08 08:28:45 -08:00
hugetlbfs VM: Remove "clear_page_dirty()" and "test_clear_page_dirty()" functions 2006-12-21 09:19:57 -08:00
isofs [PATCH] isofs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
jbd [PATCH] jbd: wait for already submitted t_sync_datalist buffer to complete 2006-12-22 08:55:51 -08:00
jbd2 [PATCH] jbd2: wait for already submitted t_sync_datalist buffer to complete 2006-12-07 08:39:42 -08:00
jffs [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
jffs2 [PATCH] struct path: convert jffs2 2006-12-08 08:28:46 -08:00
jfs [PATCH] Fix JFS after clear_page_dirty() removal 2006-12-21 09:24:03 -08:00
lockd [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
minix [PATCH] struct path: convert minix 2006-12-08 08:28:47 -08:00
msdos [PATCH] fat: add fat_getattr() 2006-11-16 11:43:38 -08:00
ncpfs [PATCH] ncpfs: ensure we free wdog_pid on parse_option or fill_inode failure 2006-12-13 09:05:53 -08:00
nfs [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
nfs_common [PATCH] nfs_common endianness annotations 2006-10-20 10:26:41 -07:00
nfsd [PATCH] knfsd: Fix up some bit-rot in exp_export 2006-12-13 09:05:54 -08:00
nls [PATCH] fs: make nls_cp936.c handle some U00XY characters and U20AC correctly 2006-12-07 08:39:46 -08:00
ntfs [PATCH] ntfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:42 -08:00
ocfs2 ocfs2: export heartbeat thread pid via configfs 2006-12-28 16:40:32 -08:00
openpromfs [PATCH] struct path: convert openpromfs 2006-12-08 08:28:48 -08:00
partitions [MIPS] Rename SNI_RM200_PCI to just SNI_RM preparing for more RM machines 2006-12-09 01:03:58 +00:00
proc Make SLES9 "get_kernel_version" work on the kernel binary again 2006-12-11 11:34:11 -08:00
qnx4 [PATCH] struct path: convert qnx4 2006-12-08 08:28:48 -08:00
ramfs [PATCH] ramfs breaks without CONFIG_BLOCK 2006-12-30 10:56:42 -08:00
reiserfs Fix reiserfs after "test_clear_page_dirty()" removal 2006-12-23 09:32:45 -08:00
romfs [PATCH] struct path: convert romfs 2006-12-08 08:28:49 -08:00
smbfs [PATCH] smbfs: Make conn_pid a struct pid 2006-12-13 09:05:53 -08:00
sysfs [PATCH] sysfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
sysv [PATCH] fs/sysv/: proper prototypes for 2 functions 2006-12-22 08:55:47 -08:00
udf [PATCH] struct path: convert udf 2006-12-08 08:28:50 -08:00
ufs [PATCH] struct path: convert ufs 2006-12-08 08:28:50 -08:00
vfat [PATCH] fat: add fat_getattr() 2006-11-16 11:43:38 -08:00
xfs [PATCH] Fix XFS after clear_page_dirty() removal 2006-12-21 10:01:08 -08:00
aio.c [PATCH] Fix lock inversion aio_kick_handler() 2006-12-30 10:55:54 -08:00
attr.c
bad_inode.c [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values 2007-01-05 23:55:23 -08:00
binfmt_aout.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
binfmt_elf.c [PATCH] add process_session() helper routine 2006-12-08 08:28:51 -08:00
binfmt_elf_fdpic.c fs: Convert kmalloc() + memset() to kzalloc() in fs/. 2006-12-12 20:07:35 +01:00
binfmt_em86.c
binfmt_flat.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
binfmt_misc.c [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
binfmt_script.c
binfmt_som.c [PARISC] Fix fs/binfmt_som.c 2006-10-04 06:51:26 -06:00
bio.c [PATCH] optimize o_direct on block devices 2006-12-13 09:05:50 -08:00
block_dev.c [PATCH] optimize o_direct on block devices 2006-12-13 09:05:50 -08:00
buffer.c Clean up and make try_to_free_buffers() not race with dirty pages 2006-12-21 09:04:31 -08:00
char_dev.c [PATCH] BLOCK: Move extern declarations out of fs/*.c into header files [try #6] 2006-09-30 20:52:18 +02:00
compat.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
compat_ioctl.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
dcache.c [PATCH] dcache: avoid RCU for never-hashed dentries 2006-12-07 08:39:41 -08:00
dcookies.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
direct-io.c [PATCH] dio: lock refcount operations 2006-12-10 09:57:21 -08:00
dnotify.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
dquot.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
drop_caches.c
eventpoll.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
exec.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
fcntl.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
fifo.c
file.c [PATCH] fdtable: Provide free_fdtable() wrapper 2006-12-22 08:55:50 -08:00
file_table.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
filesystems.c [PATCH] Ban register_filesystem(NULL); 2006-09-29 09:18:20 -07:00
fs-writeback.c [PATCH] BLOCK: Remove dependence on existence of blockdev_superblock [try #6] 2006-09-30 20:52:26 +02:00
generic_acl.c [PATCH] Generic infrastructure for acls 2006-09-29 09:18:24 -07:00
inode.c [PATCH] relative atime 2006-12-13 09:05:50 -08:00
inotify.c [PATCH] severing fs.h, radix-tree.h -> sched.h 2006-12-04 02:00:24 -05:00
inotify_user.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
internal.h [PATCH] CONFIG_BLOCK internal.h cleanups 2006-09-30 20:52:32 +02:00
ioctl.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
ioprio.c [PATCH] block layer: ioprio_best function fix 2006-10-12 15:09:51 +02:00
Kconfig [PATCH] Make JFFS depend on CONFIG_BROKEN 2006-12-22 08:55:48 -08:00
Kconfig.binfmt
libfs.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
locks.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
Makefile [PATCH] fsstack: Introduce fsstack_copy_{attr,inode}_* 2006-12-08 08:28:40 -08:00
mbcache.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
mpage.c [PATCH] BLOCK: Dissociate generic_writepages() from mpage stuff [try #6] 2006-09-30 20:52:26 +02:00
namei.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
namespace.c [PATCH] relative atime 2006-12-13 09:05:50 -08:00
nfsctl.c
no-block.c [PATCH] BLOCK: Make it possible to disable the block layer [try #6] 2006-09-30 20:52:31 +02:00
open.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
pipe.c [PATCH] fix leaks on pipe(2) failure exits 2006-12-21 00:16:03 -08:00
pnode.c [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
pnode.h [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
posix_acl.c [PATCH] kmemdup: some users 2006-10-01 00:39:19 -07:00
quota.c [PATCH] BLOCK: Make it possible to disable the block layer [try #6] 2006-09-30 20:52:31 +02:00
quota_v1.c
quota_v2.c
read_write.c [PATCH] one more EXPORT_UNUSED_SYMBOL removal 2006-12-13 09:05:53 -08:00
read_write.h [PATCH] Remove readv/writev methods and use aio_read/aio_write instead 2006-10-01 00:39:28 -07:00
readdir.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
select.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
seq_file.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
splice.c [PATCH] constify pipe_buf_operations 2006-12-13 09:05:47 -08:00
stack.c [PATCH] fsstack: Remove inode copy 2006-12-22 08:55:48 -08:00
stat.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
super.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
sync.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
utimes.c [PATCH] severing fs.h, radix-tree.h -> sched.h 2006-12-04 02:00:24 -05:00
xattr.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
xattr_acl.c