• Jann Horn's avatar
    compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS) · a7f61e89
    Jann Horn authored
    This replaces all code in fs/compat_ioctl.c that translated
    ioctl arguments into a in-kernel structure, then performed
    do_ioctl under set_fs(KERNEL_DS), with code that allocates
    data on the user stack and can call the VFS ioctl handler
    under USER_DS.
    
    This is done as a hardening measure because the caller
    does not know what kind of ioctl handler will be invoked,
    only that no corresponding compat_ioctl handler exists and
    what the ioctl command number is. The accidental
    invocation of an unlocked_ioctl handler that unexpectedly
    calls copy_to_user could be a severe security issue.
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    a7f61e89
compat_ioctl.c 46 KB