xfs: fix type confusion in xfs_ioc_swapext
Without this check, the following XFS_I invocations would return bad pointers when used on non-XFS inodes (perhaps pointers into preceding allocator chunks). This could be used by an attacker to trick xfs_swap_extents into performing locking operations on attacker-chosen structures in kernel memory, potentially leading to code execution in the kernel. (I have not investigated how likely this is to be usable for an attack in practice.) Signed-off-by: Jann Horn <jann@thejh.net> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Dave Chinner <david@fromorbit.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
aa93d1fee8
commit
3e0a396546
|
@ -1575,6 +1575,12 @@ xfs_ioc_swapext(
|
|||
goto out_put_tmp_file;
|
||||
}
|
||||
|
||||
if (f.file->f_op != &xfs_file_operations ||
|
||||
tmp.file->f_op != &xfs_file_operations) {
|
||||
error = -EINVAL;
|
||||
goto out_put_tmp_file;
|
||||
}
|
||||
|
||||
ip = XFS_I(file_inode(f.file));
|
||||
tip = XFS_I(file_inode(tmp.file));
|
||||
|
||||
|
|
Loading…
Reference in New Issue