diff options
author | Alex Elder <aelder@sgi.com> | 2011-03-01 20:50:00 +0300 |
---|---|---|
committer | Alex Elder <aelder@sgi.com> | 2011-03-02 06:19:59 +0300 |
commit | eeb2036b8a148629b762ae6d85cff0be8106f081 (patch) | |
tree | c5fca77c46f9493ed02621a1dcd3bb89367b3807 /fs/compat_binfmt_elf.c | |
parent | 20ad9ea9becd34a3c16252ca9d815f2c74f8f30f (diff) | |
download | linux-eeb2036b8a148629b762ae6d85cff0be8106f081.tar.xz |
xfs: zero proper structure size for geometry calls
Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
xfs_fs_geometry() in order to avoid passing kernel stack data back
to user space:
+ memset(geo, 0, sizeof(*geo));
Unfortunately, one of the callers of that function passes the
address of a smaller data type, cast to fit the type that
xfs_fs_geometry() requires. As a result, this can happen:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
in: f87aca93
Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
Call Trace:
[<c12991ac>] ? panic+0x50/0x150
[<c102ed71>] ? __stack_chk_fail+0x10/0x18
[<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
Fix this by fixing that one caller to pass the right type and then
copy out the subset it is interested in.
Note: This patch is an alternative to one originally proposed by
Eric Sandeen.
Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
Signed-off-by: Alex Elder <aelder@sgi.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
Diffstat (limited to 'fs/compat_binfmt_elf.c')
0 files changed, 0 insertions, 0 deletions