Google Git
Sign in
android-kvm / linux / 4c17a6d56bb0cad3066a714e94f7185a24b40f49
commit4c17a6d56bb0cad3066a714e94f7185a24b40f49[log] [tgz]
authorJann Horn <jann@thejh.net>Fri Sep 11 16:27:27 2015 +0200
committerSteve French <smfrench@gmail.com>Fri Sep 11 09:54:03 2015 -0500
treecbd5fe9b42e01ef05f8e4fa0298c0a82c2180d44
parentb0a1ea51bda4c2bcdde460221e1772f3a4f8c44f [diff]
CIFS: fix type confusion in copy offload ioctl

This might lead to local privilege escalation (code execution as
kernel) for systems where the following conditions are met:

 - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
 - a cifs filesystem is mounted where:
  - the mount option "vers" was used and set to a value >=2.0
  - the attacker has write access to at least one file on the filesystem

To attack this, an attacker would have to guess the target_tcon
pointer (but guessing wrong doesn't cause a crash, it just returns an
error code) and win a narrow race.

CC: Stable <stable@vger.kernel.org>
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Steve French <smfrench@gmail.com>
1 file changed
tree: cbd5fe9b42e01ef05f8e4fa0298c0a82c2180d44
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS