Attachment #56379 for bug #81295

View | Details | Raw Unified | Return to bug 81295
Collapse All | Expand All

Lines 1088-1098 Link Here

(-)a/arch/mips64/kernel/linux32.c (-4 / +2 lines)
1088	i--;	1088	i--;
1089	}	1089	}
1090		1090
1091	inode = file->f_dentry->d_inode;
1092	/* VERIFY_WRITE actually means a read, as we write to user space */	1091	/* VERIFY_WRITE actually means a read, as we write to user space */
1093	retval = locks_verify_area((type == VERIFY_WRITE	1092	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
1094	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	1093	file, &file->f_pos, tot_len);
1095	inode, file, file->f_pos, tot_len);
1096	if (retval) {	1094	if (retval) {
1097	if (iov != iovstack)	1095	if (iov != iovstack)
1098	kfree(iov);	1096	kfree(iov);

Lines 1671-1681 Link Here

(-)a/arch/parisc/kernel/sys_parisc32.c (-4 / +2 lines)
1671	i--;	1671	i--;
1672	}	1672	}
1673		1673
1674	inode = file->f_dentry->d_inode;
1675	/* VERIFY_WRITE actually means a read, as we write to user space */	1674	/* VERIFY_WRITE actually means a read, as we write to user space */
1676	retval = locks_verify_area((type == VERIFY_WRITE	1675	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
1677	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	1676	file, &file->f_pos, tot_len);
1678	inode, file, file->f_pos, tot_len);
1679	if (retval) {	1677	if (retval) {
1680	if (iov != iovstack)	1678	if (iov != iovstack)
1681	kfree(iov);	1679	kfree(iov);

Lines 183-193 Link Here

(-)a/arch/ppc64/kernel/sys_ppc32.c (-4 / +2 lines)
183	i--;	183	i--;
184	}	184	}
185		185
186	inode = file->f_dentry->d_inode;
187	/* VERIFY_WRITE actually means a read, as we write to user space */	186	/* VERIFY_WRITE actually means a read, as we write to user space */
188	retval = locks_verify_area((type == VERIFY_WRITE	187	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
189	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	188	file, &file->f_pos, tot_len);
190	inode, file, file->f_pos, tot_len);
191	if (retval) {	189	if (retval) {
192	if (iov != iovstack)	190	if (iov != iovstack)
193	kfree(iov);	191	kfree(iov);




	unsigned long tot_len;
	struct iovec iovstack[UIO_FASTIOV];
	struct iovec *iov=iovstack, *ivp;
	struct inode *inode;
	long retval, i;
	io_fn_t fn;
	iov_fn_t fnv;

		i--;
	}

	inode = file->f_dentry->d_inode;
	/* VERIFY_WRITE actually means a read, as we write to user space */
	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
				   file, &file->f_pos, tot_len);
				   inode, file, file->f_pos, tot_len);
	if (retval)
		goto out;





	__kernel_ssize_t32 tot_len;
	struct iovec iovstack[UIO_FASTIOV];
	struct iovec *iov=iovstack, *ivp;
	struct inode *inode;
	long retval, i;
	io_fn_t fn;
	iov_fn_t fnv;

		i--;
	}

	inode = file->f_dentry->d_inode;
	/* VERIFY_WRITE actually means a read, as we write to user space */
	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
				   file, &file->f_pos, tot_len);
				   inode, file, file->f_pos, tot_len);
	if (retval)
		goto out;


Lines 46-51 Link Here

(-)a/fs/file_table.c (+3 lines)
46	f->f_version = ++event;	46	f->f_version = ++event;
47	f->f_uid = current->fsuid;	47	f->f_uid = current->fsuid;
48	f->f_gid = current->fsgid;	48	f->f_gid = current->fsgid;
		49	f->f_maxcount = INT_MAX;
49	list_add(&f->f_list, &anon_list);	50	list_add(&f->f_list, &anon_list);
50	file_list_unlock();	51	file_list_unlock();
51	return f;	52	return f;
Lines 92-97 Link Here
92	filp->f_uid = current->fsuid;	92	filp->f_uid = current->fsuid;
93	filp->f_gid = current->fsgid;	93	filp->f_gid = current->fsgid;
94	filp->f_op = dentry->d_inode->i_fop;	94	filp->f_op = dentry->d_inode->i_fop;
		95	filp->f_maxcount = INT_MAX;
		96
95	if (filp->f_op->open)	97	if (filp->f_op->open)
96	return filp->f_op->open(dentry->d_inode, filp);	98	return filp->f_op->open(dentry->d_inode, filp);
97	else	99	else




	return -EISDIR;
}

int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count)
{
	struct inode *inode;
	loff_t pos;

	if (unlikely(count > file->f_maxcount))
		goto Einval;

	pos = *ppos;

	if (unlikely((pos < 0) || (loff_t) (pos + count) < 0))
		goto Einval;

	inode = file->f_dentry->d_inode;
	if (inode->i_flock && MANDATORY_LOCK(inode))
		return locks_mandatory_area(read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE, inode, file, *ppos, count);
	return 0;

Einval:
	return -EINVAL;
}

loff_t generic_file_llseek(struct file *file, loff_t offset, int origin)
{
	long long retval;

	file = fget(fd);
	if (file) {
		if (file->f_mode & FMODE_READ) {
			ret = rw_verify_area(READ, file, &file->f_pos, count);

			if (!ret) {
				ssize_t (*read)(struct file *, char *, size_t, loff_t *);
				ret = -EINVAL;

	file = fget(fd);
	if (file) {
		if (file->f_mode & FMODE_WRITE) {
			ret = rw_verify_area(WRITE, file, &file->f_pos, count);
			ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file,
				file->f_pos, count);
			if (!ret) {
				ssize_t (*write)(struct file *, const char *, size_t, loff_t *);
				ret = -EINVAL;

	ssize_t ret, i;
	io_fn_t fn;
	iov_fn_t fnv;
	struct inode *inode;

	/*
	 * First get the "struct iovec" from user memory and

			goto out;
	}

	inode = file->f_dentry->d_inode;
	/* VERIFY_WRITE actually means a read, as we write to user space */
	ret = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
				file, &file->f_pos, tot_len);
	if (ret) 
		goto out;

	fnv = (type == VERIFY_WRITE ? file->f_op->readv : file->f_op->writev);
	if (fnv) {

		goto bad_file;
	if (!(file->f_mode & FMODE_READ))
		goto out;
	ret = rw_verify_area(READ, file, &pos, count);

	if (ret)
		goto out;
	ret = -EINVAL;

		goto bad_file;
	if (!(file->f_mode & FMODE_WRITE))
		goto out;
	ret = rw_verify_area(WRITE, file, &pos, count);

	if (ret)
		goto out;
	ret = -EINVAL;




	unsigned int		f_uid, f_gid;
	int			f_error;

	size_t			f_maxcount;
	unsigned long		f_version;

	/* needed for tty driver, and maybe others */

	return 0;
}

extern int rw_verify_area(int, struct file *, loff_t *, size_t);
				    struct file *filp, loff_t offset,
				    size_t count)
{
	if (inode->i_flock && MANDATORY_LOCK(inode))
		return locks_mandatory_area(read_write, inode, filp, offset, count);
	return 0;
}

static inline int locks_verify_truncate(struct inode *inode,
				    struct file *filp,

Lines 1870-1876 Link Here

(-)a/mm/filemap.c (-2 / +2 lines)
1870	goto fput_in;	1870	goto fput_in;
1871	if (!in_inode->i_mapping->a_ops->readpage)	1871	if (!in_inode->i_mapping->a_ops->readpage)
1872	goto fput_in;	1872	goto fput_in;
1873	retval = locks_verify_area(FLOCK_VERIFY_READ, in_inode, in_file, in_file->f_pos, count);	1873	retval = rw_verify_area(READ, in_file, &in_file->f_pos, count);
1874	if (retval)	1874	if (retval)
1875	goto fput_in;	1875	goto fput_in;
1876		1876
Lines 1887-1893 Link Here
1887	if (!out_file->f_op \|\| !out_file->f_op->write)	1887	if (!out_file->f_op \|\| !out_file->f_op->write)
1888	goto fput_out;	1888	goto fput_out;
1889	out_inode = out_file->f_dentry->d_inode;	1889	out_inode = out_file->f_dentry->d_inode;
1890	retval = locks_verify_area(FLOCK_VERIFY_WRITE, out_inode, out_file, out_file->f_pos, count);	1890	retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
1891	if (retval)	1891	if (retval)
1892	goto fput_out;	1892	goto fput_out;
1893		1893

Return to bug 81295

Lines 1108-1114 Link Here

(-)a/arch/s390x/kernel/linux32.c (-5 / +2 lines)
1108	unsigned long tot_len;	1108	unsigned long tot_len;
1109	struct iovec iovstack[UIO_FASTIOV];	1109	struct iovec iovstack[UIO_FASTIOV];
1110	struct iovec iov=iovstack, ivp;	1110	struct iovec iov=iovstack, ivp;
1111	struct inode *inode;
1112	long retval, i;	1111	long retval, i;
1113	io_fn_t fn;	1112	io_fn_t fn;
1114	iov_fn_t fnv;	1113	iov_fn_t fnv;
Lines 1145-1155 Link Here
1145	i--;	1144	i--;
1146	}	1145	}
1147		1146
1148	inode = file->f_dentry->d_inode;
1149	/* VERIFY_WRITE actually means a read, as we write to user space */	1147	/* VERIFY_WRITE actually means a read, as we write to user space */
1150	retval = locks_verify_area((type == VERIFY_WRITE	1148	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
1151	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	1149	file, &file->f_pos, tot_len);
1152	inode, file, file->f_pos, tot_len);
1153	if (retval)	1150	if (retval)
1154	goto out;	1151	goto out;
1155		1152

Lines 40-45 Link Here

(-)a/fs/read_write.c (-15 / +33 lines)
40	return -EISDIR;	40	return -EISDIR;
41	}	41	}
42		42
		43	int rw_verify_area(int read_write, struct file file, loff_t ppos, size_t count)
		44	{
		45	struct inode *inode;
		46	loff_t pos;
		47
		48	if (unlikely(count > file->f_maxcount))
		49	goto Einval;
		50
		51	pos = *ppos;
		52
		53	if (unlikely((pos < 0) \|\| (loff_t) (pos + count) < 0))
		54	goto Einval;
		55
		56	inode = file->f_dentry->d_inode;
		57	if (inode->i_flock && MANDATORY_LOCK(inode))
		58	return locks_mandatory_area(read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE, inode, file, *ppos, count);
		59	return 0;
		60
		61	Einval:
		62	return -EINVAL;
		63	}
		64
43	loff_t generic_file_llseek(struct file *file, loff_t offset, int origin)	65	loff_t generic_file_llseek(struct file *file, loff_t offset, int origin)
44	{	66	{
45	long long retval;	67	long long retval;
Lines 168-175 Link Here
168	file = fget(fd);	190	file = fget(fd);
169	if (file) {	191	if (file) {
170	if (file->f_mode & FMODE_READ) {	192	if (file->f_mode & FMODE_READ) {
171	ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,	193	ret = rw_verify_area(READ, file, &file->f_pos, count);
172	file, file->f_pos, count);	194
173	if (!ret) {	195	if (!ret) {
174	ssize_t (read)(struct file , char , size_t, loff_t );	196	ssize_t (read)(struct file , char , size_t, loff_t );
175	ret = -EINVAL;	197	ret = -EINVAL;
Lines 193-201 Link Here
193	file = fget(fd);	215	file = fget(fd);
194	if (file) {	216	if (file) {
195	if (file->f_mode & FMODE_WRITE) {	217	if (file->f_mode & FMODE_WRITE) {
196	struct inode *inode = file->f_dentry->d_inode;	218	ret = rw_verify_area(WRITE, file, &file->f_pos, count);
197	ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file,
198	file->f_pos, count);
199	if (!ret) {	219	if (!ret) {
200	ssize_t (write)(struct file , const char , size_t, loff_t );	220	ssize_t (write)(struct file , const char , size_t, loff_t );
201	ret = -EINVAL;	221	ret = -EINVAL;
Lines 224-230 Link Here
224	ssize_t ret, i;	244	ssize_t ret, i;
225	io_fn_t fn;	245	io_fn_t fn;
226	iov_fn_t fnv;	246	iov_fn_t fnv;
227	struct inode *inode;
228		247
229	/*	248	/*
230	* First get the "struct iovec" from user memory and	249	* First get the "struct iovec" from user memory and
Lines 275-286 Link Here
275	goto out;	294	goto out;
276	}	295	}
277		296
278	inode = file->f_dentry->d_inode;
279	/* VERIFY_WRITE actually means a read, as we write to user space */	297	/* VERIFY_WRITE actually means a read, as we write to user space */
280	ret = locks_verify_area((type == VERIFY_WRITE	298	ret = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
281	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	299	file, &file->f_pos, tot_len);
282	inode, file, file->f_pos, tot_len);	300	if (ret)
283	if (ret) goto out;	301	goto out;
284		302
285	fnv = (type == VERIFY_WRITE ? file->f_op->readv : file->f_op->writev);	303	fnv = (type == VERIFY_WRITE ? file->f_op->readv : file->f_op->writev);
286	if (fnv) {	304	if (fnv) {
Lines 383-390 Link Here
383	goto bad_file;	401	goto bad_file;
384	if (!(file->f_mode & FMODE_READ))	402	if (!(file->f_mode & FMODE_READ))
385	goto out;	403	goto out;
386	ret = locks_verify_area(FLOCK_VERIFY_READ, file->f_dentry->d_inode,	404	ret = rw_verify_area(READ, file, &pos, count);
387	file, pos, count);	405
388	if (ret)	406	if (ret)
389	goto out;	407	goto out;
390	ret = -EINVAL;	408	ret = -EINVAL;
Lines 414-421 Link Here
414	goto bad_file;	432	goto bad_file;
415	if (!(file->f_mode & FMODE_WRITE))	433	if (!(file->f_mode & FMODE_WRITE))
416	goto out;	434	goto out;
417	ret = locks_verify_area(FLOCK_VERIFY_WRITE, file->f_dentry->d_inode,	435	ret = rw_verify_area(WRITE, file, &pos, count);
418	file, pos, count);	436
419	if (ret)	437	if (ret)
420	goto out;	438	goto out;
421	ret = -EINVAL;	439	ret = -EINVAL;

Lines 576-581 Link Here

(-)a/include/linux/fs.h (-8 / +2 lines)
576	unsigned int f_uid, f_gid;	576	unsigned int f_uid, f_gid;
577	int f_error;	577	int f_error;
578		578
		579	size_t f_maxcount;
579	unsigned long f_version;	580	unsigned long f_version;
580		581
581	/* needed for tty driver, and maybe others */	582	/* needed for tty driver, and maybe others */
Lines 1056-1069 Link Here
1056	return 0;	1057	return 0;
1057	}	1058	}
1058		1059
1059	static inline int locks_verify_area(int read_write, struct inode *inode,	1060	extern int rw_verify_area(int, struct file , loff_t , size_t);
1060	struct file *filp, loff_t offset,
1061	size_t count)
1062	{
1063	if (inode->i_flock && MANDATORY_LOCK(inode))
1064	return locks_mandatory_area(read_write, inode, filp, offset, count);
1065	return 0;
1066	}
1067		1061
1068	static inline int locks_verify_truncate(struct inode *inode,	1062	static inline int locks_verify_truncate(struct inode *inode,
1069	struct file *filp,	1063	struct file *filp,

Lines 1093-1099 Link Here

(-)a/arch/sparc64/kernel/sys_sparc32.c (-5 / +2 lines)
1093	__kernel_ssize_t32 tot_len;	1093	__kernel_ssize_t32 tot_len;
1094	struct iovec iovstack[UIO_FASTIOV];	1094	struct iovec iovstack[UIO_FASTIOV];
1095	struct iovec iov=iovstack, ivp;	1095	struct iovec iov=iovstack, ivp;
1096	struct inode *inode;
1097	long retval, i;	1096	long retval, i;
1098	io_fn_t fn;	1097	io_fn_t fn;
1099	iov_fn_t fnv;	1098	iov_fn_t fnv;
Lines 1140-1150 Link Here
1140	i--;	1139	i--;
1141	}	1140	}
1142		1141
1143	inode = file->f_dentry->d_inode;
1144	/* VERIFY_WRITE actually means a read, as we write to user space */	1142	/* VERIFY_WRITE actually means a read, as we write to user space */
1145	retval = locks_verify_area((type == VERIFY_WRITE	1143	retval = rw_verify_area((type == VERIFY_WRITE ? READ : WRITE),
1146	? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE),	1144	file, &file->f_pos, tot_len);
1147	inode, file, file->f_pos, tot_len);
1148	if (retval)	1145	if (retval)
1149	goto out;	1146	goto out;
1150		1147