Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-11 16:29:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-next/fs
History
Jann Horn 4c17a6d56b CIFS: fix type confusion in copy offload ioctl 
This might lead to local privilege escalation (code execution as
kernel) for systems where the following conditions are met:

 - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
 - a cifs filesystem is mounted where:
  - the mount option "vers" was used and set to a value >=2.0
  - the attacker has write access to at least one file on the filesystem

To attack this, an attacker would have to guess the target_tcon
pointer (but guessing wrong doesn't cause a crash, it just returns an
error code) and win a narrow race.

CC: Stable <stable@vger.kernel.org>
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Steve French <smfrench@gmail.com>
2015-09-11 09:54:03 -05:00
..
9p
9p: fix return code of read() when count is 0
2015-08-23 14:21:36 -05:00
adfs
fs/adfs: remove unneeded cast
2015-06-30 19:44:57 -07:00
affs
fs/affs: make root lookup from blkdev logical size
2015-09-10 13:29:01 -07:00
afs
net: Add a struct net parameter to sock_create_kern
2015-05-11 10:50:17 -04:00
autofs4
make simple_positive() public
2015-06-23 18:02:01 -04:00
befs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
bfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-04-26 17:22:07 -07:00
btrfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-09-05 20:34:28 -07:00
cachefiles
Merge branch 'fscache-fixes' into for-next
2015-06-23 18:01:30 -04:00
ceph
mm: mark most vm_operations_struct const
2015-09-10 13:29:01 -07:00
cifs
CIFS: fix type confusion in copy offload ioctl
2015-09-11 09:54:03 -05:00
coda
fs/coda: fix readlink buffer overflow
2015-09-10 13:29:01 -07:00
configfs
configfs: fix kernel infoleak through user-controlled format string
2015-07-17 16:39:53 -07:00
cramfs
fs/cramfs/inode.c: use linux/uaccess.h
2014-08-08 15:57:25 -07:00
debugfs
debugfs: Export bool read/write functions
2015-07-20 18:44:50 +01:00
devpts
devpts: if initialization failed, don't crash when opening /dev/ptmx
2015-06-30 19:44:58 -07:00
dlm
dlm for 4.3
2015-09-03 12:57:48 -07:00
ecryptfs
Invalidate stale eCryptfs dcache entries caused by unlinked lower inodes
2015-09-08 11:26:17 -07:00
efivarfs
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2015-05-06 10:57:37 -07:00
efs
fs/efs: femove unneeded cast
2015-06-25 17:00:42 -07:00
exofs
pagemap.h: move dir_pages() over there
2015-06-23 18:02:00 -04:00
exportfs
VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)
2015-02-22 11:38:41 -05:00
ext2
ext2: huge page fault support
2015-09-08 15:35:28 -07:00
ext4
ext4: start transaction before calling into DAX
2015-09-08 15:35:28 -07:00
f2fs
Merge tag 'for-f2fs-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs
2015-09-03 13:10:22 -07:00
fat
writeback: separate out include/linux/backing-dev-defs.h
2015-06-02 08:33:34 -06:00
freevxfs
freevxfs: Grammar s/an negative/a negative/
2015-08-07 13:59:24 +02:00
fscache
FS-Cache: Retain the netfs context in the retrieval op earlier
2015-04-02 14:28:53 +01:00
fuse
fs/fuse: fix ioctl type confusion
2015-08-16 12:35:44 -07:00
gfs2
fs: create and use seq_show_option for escaping
2015-09-04 16:54:41 -07:00
hfs
hfs: fix B-tree corruption after insertion at position 0
2015-09-10 13:29:01 -07:00
hfsplus
hfs,hfsplus: cache pages correctly between bnode_create and bnode_free
2015-09-10 13:29:01 -07:00
hostfs
fs: create and use seq_show_option for escaping
2015-09-04 16:54:41 -07:00
hpfs
hpfs: update ctime and mtime on directory modification
2015-09-03 11:55:30 -07:00
hugetlbfs
hugetlbfs: add hugetlbfs_fallocate()
2015-09-08 15:35:28 -07:00
isofs
VFS: normal filesystems (and lustre): d_inode() annotations
2015-04-15 15:06:57 -04:00
jbd2
jbd2: limit number of reserved credits
2015-08-04 11:21:52 -04:00
jffs2
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
jfs
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2015-09-03 12:28:30 -07:00
kernfs
kernfs: implement kernfs_path_len()
2015-08-18 15:49:15 -07:00
lockd
lockd: NLM grace period shouldn't block NFSv4 opens
2015-08-13 10:22:06 -04:00
logfs
block: remove bio_get_nr_vecs()
2015-08-13 12:32:04 -06:00
minix
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
ncpfs
ncpfs: successful rename() should invalidate caches for parents
2015-06-14 11:31:39 -04:00
nfs
NFS client updates for Linux 4.3
2015-09-07 14:02:24 -07:00
nfs_common
lockd: NLM grace period shouldn't block NFSv4 opens
2015-08-13 10:22:06 -04:00
nfsd
NFS client updates for Linux 4.3
2015-09-07 14:02:24 -07:00
nilfs2
block: remove bio_get_nr_vecs()
2015-08-13 12:32:04 -06:00
nls
notify
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-09-05 20:34:28 -07:00
ntfs
ntfs: delete unnecessary checks before calling iput()
2015-09-04 16:54:41 -07:00
ocfs2
fs: create and use seq_show_option for escaping
2015-09-04 16:54:41 -07:00
omfs
omfs: fix potential integer overflow in allocator
2015-05-28 18:25:19 -07:00
openpromfs
overlayfs
fs: create and use seq_show_option for escaping
2015-09-04 16:54:41 -07:00
proc
proc: convert to kstrto*()/kstrto*_from_user()
2015-09-10 13:29:01 -07:00
pstore
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2015-07-03 15:20:57 -07:00
qnx4
qnx6
pagemap.h: move dir_pages() over there
2015-06-23 18:02:00 -04:00
quota
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-09-05 20:34:28 -07:00
ramfs
VFS: normal filesystems (and lustre): d_inode() annotations
2015-04-15 15:06:57 -04:00
reiserfs
fs: create and use seq_show_option for escaping
2015-09-04 16:54:41 -07:00
romfs
make new_sync_{read,write}() static
2015-04-11 22:29:40 -04:00
squashfs
fs: cleanup slight list_entry abuse
2015-06-23 18:01:59 -04:00
sysfs
vfs: Commit to never having exectuables on proc and sysfs.
2015-07-10 10:39:25 -05:00
sysv
pagemap.h: move dir_pages() over there
2015-06-23 18:02:00 -04:00
tracefs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
ubifs
This pull request includes the following UBI/UBIFS changes:
2015-06-25 14:11:34 -07:00
udf
udf: Don't modify filesystem for read-only mounts
2015-08-20 14:58:35 +02:00
ufs
fix ufs write vs readpage race when writing into a hole
2015-09-09 10:43:12 -07:00
xfs
xfs: huge page fault support
2015-09-08 15:35:28 -07:00
aio.c
mm: move ->mremap() from file_operations to vm_operations_struct
2015-09-04 16:54:41 -07:00
anon_inodes.c
attr.c
bad_inode.c
don't bother with most of the bad_file_ops methods
2015-02-20 04:03:58 -05:00
binfmt_aout.c
assorted conversions to %p[dD]
2014-11-19 13:01:20 -05:00
binfmt_elf_fdpic.c
handle suicide on late failure exits in execve() in search_binary_handler()
2014-10-09 02:39:00 -04:00
binfmt_elf.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
binfmt_em86.c
syscalls: implement execveat() system call
2014-12-13 12:42:51 -08:00
binfmt_flat.c
binfmt_misc.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-04-26 17:22:07 -07:00
binfmt_script.c
syscalls: implement execveat() system call
2014-12-13 12:42:51 -08:00
block_dev.c
Merge branch 'akpm' (patches from Andrew)
2015-09-08 17:52:23 -07:00
buffer.c
fs: use helper bio_add_page() instead of open coding on bi_io_vec
2015-08-13 12:32:00 -06:00
char_dev.c
fs/char_dev.c: fix incorrect documentation for unregister_chrdev_region
2015-08-05 13:49:35 -07:00
compat_binfmt_elf.c
compat_ioctl.c
ioctl_compat: handle FITRIM
2015-07-09 11:42:21 -07:00
compat.c
vfs: make first argument of dir_context.actor typed
2014-10-31 17:48:54 -04:00
coredump.c
fs: Don't dump core if the corefile would become world-readable.
2015-09-10 13:29:01 -07:00
dax.c
dax: update PMD fault handler with PMEM API
2015-09-09 09:47:57 -07:00
dcache.c
dcache: Reduce the scope of i_lock in d_splice_alias
2015-08-21 02:34:37 -04:00
dcookies.c
direct-io.c
block: remove bio_get_nr_vecs()
2015-08-13 12:32:04 -06:00
drop_caches.c
inode: convert inode_sb_list_lock to per-sb
2015-08-17 18:39:46 -04:00
eventfd.c
eventfd: don't take the spinlock in eventfd_poll
2015-02-17 14:34:52 -08:00
eventpoll.c
epoll: optimize setting task running after blocking
2015-02-13 21:21:40 -08:00
exec.c
vfs: Commit to never having exectuables on proc and sysfs.
2015-07-10 10:39:25 -05:00
fcntl.c
vfs: renumber FMODE_NONOTIFY and add to uniqueness check
2015-01-08 15:10:52 -08:00
fhandle.c
vfs: read file_handle only once in handle_to_path
2015-06-02 10:29:07 -07:00
file_table.c
fs, file table: reinit files_stat.max_files after deferred memory initialisation
2015-08-07 04:39:40 +03:00
file.c
fs/file.c: __fget() and dup2() atomicity rules
2015-07-01 02:31:08 -04:00
filesystems.c
fs_pin.c
fs_pin: Allow for the possibility that m_list or s_list go unused.
2015-04-09 11:39:55 -05:00
fs_struct.c
fs-writeback.c
Merge branch 'for-4.3/blkcg' of git://git.kernel.dk/linux-block
2015-09-10 18:56:14 -07:00
inode.c
inode: don't softlockup when evicting inodes
2015-08-18 10:20:09 -07:00
internal.h
inode: rename i_wb_list to i_io_list
2015-08-17 23:38:10 -04:00
ioctl.c
fsioctl.c: make generic_block_fiemap() signal-tolerant
2015-02-10 14:30:30 -08:00
Kconfig
fs: Remove ext3 filesystem driver
2015-07-23 20:59:40 +02:00
Kconfig.binfmt
mm: split ET_DYN ASLR from mmap ASLR
2015-04-14 16:49:05 -07:00
libfs.c
fs: Set the size of empty dirs to 0.
2015-08-12 15:28:45 -05:00
locks.c
fs: fix fs/locks.c kernel-doc warning
2015-08-31 16:27:25 -04:00
Makefile
userfaultfd: buildsystem activation
2015-09-04 16:54:41 -07:00
mbcache.c
fs/mbcache: replace __builtin_log2() with ilog2()
2014-06-25 22:08:29 -04:00
mount.h
fs: use seq_open_private() for proc_mounts
2015-06-30 19:44:56 -07:00
mpage.c
block: remove bio_get_nr_vecs()
2015-08-13 12:32:04 -06:00
namei.c
namei: fix warning while make xmldocs caused by namei.c
2015-09-10 13:29:01 -07:00
namespace.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2015-09-01 16:13:25 -07:00
no-block.c
nsfs.c
nsfs: Add a show_path method to fix mountinfo
2015-07-11 11:09:00 -05:00
open.c
vfs: Commit to never having exectuables on proc and sysfs.
2015-07-10 10:39:25 -05:00
pipe.c
VFS: assorted weird filesystems: d_inode() annotations
2015-04-15 15:06:58 -04:00
pnode.c
mnt: Don't propagate unmounts to locked mounts
2015-04-02 20:34:20 -05:00
pnode.h
mnt: Clarify and correct the disconnect logic in umount_tree
2015-07-22 20:33:27 -05:00
posix_acl.c
fs/posix_acl.c: make posix_acl_create() safer and cleaner
2015-06-23 18:01:07 -04:00
proc_namespace.c
fs: use seq_open_private() for proc_mounts
2015-06-30 19:44:56 -07:00
read_write.c
new_sync_write(): discard ->ki_pos unless the return value is positive
2015-04-11 22:29:46 -04:00
readdir.c
vfs: make first argument of dir_context.actor typed
2014-10-31 17:48:54 -04:00
select.c
locking/arch: Rename set_mb() to smp_store_mb()
2015-05-19 08:32:00 +02:00
seq_file.c
seq_file: provide an analogue of print_hex_dump()
2015-09-10 13:29:01 -07:00
signalfd.c
signalfd: fix information leak in signalfd_copyinfo
2015-08-07 04:39:40 +03:00
splice.c
Merge branch 'akpm' (patches from Andrew)
2015-06-24 20:47:21 -07:00
stack.c
fs: fix comment for 'CONFIG_LBADF'
2014-08-26 09:35:56 +02:00
stat.c
VFS: assorted d_backing_inode() annotations
2015-04-15 15:06:59 -04:00
statfs.c
super.c
Merge branch 'superblock-scaling' of git://git.kernel.org/pub/scm/linux/kernel/git/josef/btrfs-next into for-next
2015-08-21 02:31:20 -04:00
sync.c
vfs: add support for a lazytime mount option
2015-02-05 02:45:00 -05:00
timerfd.c
fs: Convert show_fdinfo functions to void
2014-11-05 14:13:23 -05:00
userfaultfd.c
userfaultfd: avoid missing wakeups during refile in userfaultfd_read
2015-09-04 16:54:41 -07:00
utimes.c
xattr.c
evm: fix potential race when removing xattrs
2015-05-21 13:28:47 -04:00