iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Jeremy Cline c1ef3feca6 fs/quota: Fix spectre gadget in do_quotactl 
commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream.

'type' is user-controlled, so sanitize it after the bounds check to
avoid using it in speculative execution. This covers the following
potential gadgets detected with the help of smatch:

* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
  'sb_dqopt(sb)->info' [w]
* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
  'dquots' [r]
* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
  issue 'dqopt->ops' [r]
* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->files' [w] (local cap)
* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->ops' [w] (local cap)
* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->info' [w] (local cap)
* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
  'sb_dqopt(sb)->info' [r]
* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
  issue 'quota_magics' [w]
* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
  issue 'quota_versions' [w]
* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
  issue 'dqopt->info' [r]
* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
  issue 'dqopt->info' [r]

Additionally, a quick inspection indicates there are array accesses with
'type' in quota_on() and quota_off() functions which are also addressed
by this.

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-09 10:32:42 +02:00
..
9p
fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
2018-09-09 10:32:33 +02:00
adfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
affs
affs: fix potential memory leak when parsing option 'prefix'
2018-05-28 12:36:41 +02:00
afs
Merge branch 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:32:04 +09:00
autofs
autofs: fix slab out of bounds read in getname_kernel()
2018-07-14 11:11:09 -07:00
befs
fix a series of Documentation/ broken file name references
2018-06-15 18:10:01 -03:00
bfs
bfs_add_entry: pass name/len as qstr pointer
2018-05-22 14:27:50 -04:00
btrfs
Btrfs: send, fix incorrect file layout after hole punching beyond eof
2018-09-05 09:29:42 +02:00
cachefiles
cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
2018-07-25 14:49:00 +01:00
ceph
ceph: fix dentry leak in splice_dentry()
2018-06-26 18:42:44 +02:00
cifs
smb3: fill in statfs fsid and correct namelen
2018-09-05 09:29:41 +02:00
coda
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
configfs
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
cramfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
crypto
f2fs-for-4.18-rc1
2018-06-11 10:16:13 -07:00
debugfs
Revert "debugfs: inode: debugfs_create_dir uses mode permission from parent"
2018-06-12 20:52:16 -07:00
devpts
dlm
treewide: Use array_size() in vmalloc()
2018-06-12 16:19:22 -07:00
ecryptfs
Merge branch 'fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into aio-base
2018-05-26 09:16:25 +02:00
efivarfs
efs
exofs
exofs: avoid VLA in structures
2018-06-15 07:55:24 +09:00
exportfs
ovl: do not try to reconnect a disconnected origin dentry
2018-04-12 12:04:49 +02:00
ext2
ext2: add warning when specifying nocheck option
2018-06-20 11:04:26 +02:00
ext4
ext4: fix race when setting the bitmap corrupted flag
2018-09-05 09:29:46 +02:00
f2fs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
fat
fat: fix memory allocation failure handling of match_strdup()
2018-07-21 12:50:46 -07:00
freevxfs
freevxfs_lookup(): use d_splice_alias()
2018-05-22 14:27:51 -04:00
fscache
fscache: Fix reference overput in fscache_attach_object() error handling
2018-07-25 14:49:00 +01:00
fuse
fuse: Add missed unlock_page() to fuse_readpages_fill()
2018-09-05 09:29:49 +02:00
gfs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hfsplus
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hostfs
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
hpfs
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
hugetlbfs
mm: use vma_init() to initialize VMAs on stack and data segments
2018-07-26 19:38:03 -07:00
isofs
isofs: fix potential memory leak in mount option parsing
2018-04-16 09:47:41 +02:00
jbd2
Bug fixes for ext4; most of which relate to vulnerabilities where a
2018-07-08 11:10:30 -07:00
jffs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
jfs
jfs: Fix usercopy whitelist for inline inode data
2018-08-04 07:53:46 -07:00
kernfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
lockd
nfsd: fix leaked file lock with nfs exported overlayfs
2018-09-09 10:32:38 +02:00
minix
minix_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
nfs
NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence()
2018-09-09 10:32:38 +02:00
nfs_common
nfsd
nfsd: fix leaked file lock with nfs exported overlayfs
2018-09-09 10:32:38 +02:00
nilfs2
do d_instantiate/unlock_new_inode combinations safely
2018-05-11 15:36:37 -04:00
nls
notify
fsnotify: add fsnotify_add_inode_mark() wrappers
2018-05-18 14:58:22 +02:00
ntfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
ocfs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
omfs
omfs_lookup(): report IO errors, use d_splice_alias()
2018-05-22 14:27:58 -04:00
openpromfs
openpromfs: switch to d_splice_alias()
2018-05-22 14:27:57 -04:00
orangefs
Solve a series of broken links for files under Documentation:
2018-06-17 05:25:18 +09:00
overlayfs
ovl: fix wrong use of impure dir cache in ovl_iterate()
2018-09-09 10:32:36 +02:00
proc
fs/proc/task_mmu.c: fix Locked field in /proc/pid/smaps*
2018-07-14 11:11:09 -07:00
pstore
pstore: Remove bogus format string definition
2018-06-14 14:57:24 +02:00
qnx4
qnx4_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
qnx6
qnx6_lookup: switch to d_splice_alias()
2018-05-22 14:27:54 -04:00
quota
fs/quota: Fix spectre gadget in do_quotactl
2018-09-09 10:32:42 +02:00
ramfs
reiserfs
reiserfs: fix broken xattr handling (heap corruption, bad retval)
2018-08-24 13:04:51 +02:00
romfs
romfs_lookup: switch to d_splice_alias()
2018-05-22 14:27:55 -04:00
squashfs
Squashfs: Compute expected length from inode size rather than block length
2018-08-02 09:34:02 -07:00
sysfs
scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
2018-09-05 09:29:54 +02:00
sysv
sysv_lookup: use d_splice_alias()
2018-05-22 14:27:53 -04:00
tracefs
ubifs
ubifs: Fix synced_i_size calculation for xattr inodes
2018-09-09 10:32:40 +02:00
udf
udf: Drop unused arguments of udf_delete_aext()
2018-06-20 11:05:49 +02:00
ufs
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
xfs
xfs: properly handle free inodes in extent hint validators
2018-07-24 11:34:52 -07:00
aio.c
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-07-22 12:04:51 -07:00
anon_inodes.c
attr.c
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
bad_inode.c
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
binfmt_aout.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_elf_fdpic.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
binfmt_elf.c
fs, elf: make sure to page align bss in load_elf_library
2018-07-14 11:11:10 -07:00
binfmt_em86.c
binfmt_flat.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_misc.c
docs: Fix more broken references
2018-06-15 18:11:26 -03:00
binfmt_script.c
block_dev.c
for-linus-20180727
2018-07-27 12:51:00 -07:00
buffer.c
fs: move page_cache_seek_hole_data to iomap.c
2018-06-01 18:37:33 -07:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
autofs: clean up includes
2018-06-07 17:34:40 -07:00
compat.c
ncpfs: remove compat functionality
2018-06-05 19:23:26 +02:00
coredump.c
d_path.c
dax.c
libnvdimm for 4.18
2018-06-08 17:21:52 -07:00
dcache.c
make sure that __dentry_kill() always invalidates d_seq, unhashed or not
2018-08-09 18:07:15 -04:00
dcookies.c
direct-io.c
block: consistently use GFP_NOIO instead of __GFP_NORECLAIM
2018-05-14 08:55:18 -06:00
drop_caches.c
eventfd.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
eventpoll.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
exec.c
mm: fix vma_is_anonymous() false-positives
2018-07-26 19:38:03 -07:00
fcntl.c
mm: restructure memfd code
2018-06-07 17:34:35 -07:00
fhandle.c
file_table.c
file.c
filesystems.c
proc: introduce proc_create_single{,_data}
2018-05-16 07:23:35 +02:00
fs_pin.c
fs_struct.c
fs-writeback.c
bdi: Fix oops in wb_workfn()
2018-05-03 16:11:37 -06:00
inode.c
Fix up non-directory creation in SGID directories
2018-07-05 12:36:36 -07:00
internal.h
drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open()
2018-07-10 23:29:03 -04:00
ioctl.c
fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems
2018-05-24 12:04:28 -05:00
iomap.c
fs: fix iomap_bmap position calculation
2018-08-02 13:09:27 -07:00
Kconfig
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
Kconfig.binfmt
docs: Fix more broken references
2018-06-15 18:11:26 -03:00
libfs.c
locks.c
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
Makefile
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
mbcache.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
mount.h
mpage.c
namei.c
Merge branch 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:32:04 +09:00
namespace.c
fix __legitimize_mnt()/mntput() race
2018-08-09 17:51:32 -04:00
no-block.c
nsfs.c
open.c
Revert "fs: fold open_check_o_direct into do_dentry_open"
2018-06-03 10:58:23 -07:00
pipe.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
readdir.c
select.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
seq_file.c
proc: fix smaps and meminfo alignment
2018-05-25 18:12:11 -07:00
signalfd.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
splice.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
stack.c
stat.c
statfs.c
super.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-04 10:14:28 -07:00
sync.c
Changes for this release:
2018-04-04 12:44:02 -07:00
timerfd.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
userfaultfd.c
userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
2018-08-02 16:03:40 -07:00
utimes.c
xattr.c
getxattr: use correct xattr length
2018-09-09 10:32:41 +02:00