CIFS: fix type confusion in copy offload ioctl
This might lead to local privilege escalation (code execution as kernel) for systems where the following conditions are met: - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled - a cifs filesystem is mounted where: - the mount option "vers" was used and set to a value >=2.0 - the attacker has write access to at least one file on the filesystem To attack this, an attacker would have to guess the target_tcon pointer (but guessing wrong doesn't cause a crash, it just returns an error code) and win a narrow race. CC: Stable <stable@vger.kernel.org> Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Steve French <smfrench@gmail.com>
This commit is contained in:
parent
b0a1ea51bd
commit
4c17a6d56b
|
@ -67,6 +67,12 @@ static long cifs_ioctl_clone(unsigned int xid, struct file *dst_file,
|
||||||
goto out_drop_write;
|
goto out_drop_write;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) {
|
||||||
|
rc = -EBADF;
|
||||||
|
cifs_dbg(VFS, "src file seems to be from a different filesystem type\n");
|
||||||
|
goto out_fput;
|
||||||
|
}
|
||||||
|
|
||||||
if ((!src_file.file->private_data) || (!dst_file->private_data)) {
|
if ((!src_file.file->private_data) || (!dst_file->private_data)) {
|
||||||
rc = -EBADF;
|
rc = -EBADF;
|
||||||
cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n");
|
cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n");
|
||||||
|
|
Loading…
Reference in New Issue