Artem Bityutskiy 4e3010bf3a UBIFS: fix a horrid bug ... commit 605c912bb8 upstream. Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2013-07-03 10:59:05 -07:00
..
budget.c
commit.c
compress.c
debug.c
debug.h
dir.c	UBIFS: fix a horrid bug	2013-07-03 10:59:05 -07:00
file.c
find.c	UBIFS: fix mounting problems after power cuts	2012-11-26 11:37:44 -08:00
gc.c
io.c
ioctl.c
journal.c
Kconfig
key.h
log.c
lprops.c	UBIFS: introduce categorized lprops counter	2012-11-26 11:37:44 -08:00
lpt.c
lpt_commit.c
Makefile
master.c
misc.h
orphan.c
recovery.c
replay.c
sb.c
scan.c
shrinker.c
super.c	UBIFS: make space fixup work in the remount case	2013-04-12 09:38:43 -07:00
tnc.c
tnc_commit.c
tnc_misc.c
ubifs-media.h
ubifs.h	UBIFS: introduce categorized lprops counter	2012-11-26 11:37:44 -08:00
xattr.c