• Jann Horn's avatar
    xfs: fix type confusion in xfs_ioc_swapext · 3e0a3965
    Jann Horn authored
    Without this check, the following XFS_I invocations would return bad
    pointers when used on non-XFS inodes (perhaps pointers into preceding
    allocator chunks).
    
    This could be used by an attacker to trick xfs_swap_extents into
    performing locking operations on attacker-chosen structures in kernel
    memory, potentially leading to code execution in the kernel.  (I have
    not investigated how likely this is to be usable for an attack in
    practice.)
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Dave Chinner <david@fromorbit.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    3e0a3965
xfs_ioctl.c 42.5 KB