2017-10-31 13:24:35 -04:00
|
|
|
From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001
|
|
|
|
From: Jeff Mahoney <jeffm@suse.com>
|
|
|
|
Date: Tue, 5 Jul 2016 17:32:30 -0400
|
|
|
|
Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it
|
|
|
|
|
|
|
|
There are legitimate reasons to disallow mmap on certain files, notably
|
|
|
|
in sysfs or procfs. We shouldn't emulate mmap support on file systems
|
|
|
|
that don't offer support natively.
|
|
|
|
|
|
|
|
CVE-2016-1583
|
|
|
|
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
|
|
Cc: stable@vger.kernel.org
|
|
|
|
[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
|
|
|
|
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
|
|
|
---
|
|
|
|
fs/ecryptfs/file.c | 15 ++++++++++++++-
|
|
|
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
(limited to 'fs/ecryptfs/file.c')
|
|
|
|
|
|
|
|
diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
|
|
|
|
index 53d0141..ca4e837 100644
|
|
|
|
--- a/fs/ecryptfs/file.c
|
|
|
|
+++ b/fs/ecryptfs/file.c
|
|
|
|
@@ -169,6 +169,19 @@ out:
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
|
|
|
+static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
|
|
|
|
+{
|
|
|
|
+ struct file *lower_file = ecryptfs_file_to_lower(file);
|
|
|
|
+ /*
|
|
|
|
+ * Don't allow mmap on top of file systems that don't support it
|
|
|
|
+ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
|
|
|
|
+ * allows recursive mounting, this will need to be extended.
|
|
|
|
+ */
|
|
|
|
+ if (!lower_file->f_op->mmap)
|
|
|
|
+ return -ENODEV;
|
|
|
|
+ return generic_file_mmap(file, vma);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
/**
|
|
|
|
* ecryptfs_open
|
|
|
|
* @inode: inode specifying file to open
|
|
|
|
@@ -403,7 +416,7 @@ const struct file_operations ecryptfs_main_fops = {
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
.compat_ioctl = ecryptfs_compat_ioctl,
|
|
|
|
#endif
|
|
|
|
- .mmap = generic_file_mmap,
|
|
|
|
+ .mmap = ecryptfs_mmap,
|
|
|
|
.open = ecryptfs_open,
|
|
|
|
.flush = ecryptfs_flush,
|
|
|
|
.release = ecryptfs_release,
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|