• Jann Horn's avatar
    xfs: fix type confusion in xfs_ioc_swapext · 7f1b6245
    Jann Horn authored
    When calling fdget() in xfs_ioc_swapext(), we need to verify that
    the file descriptors passed into the ioctl point to XFS inodes
    before we start operations on them. If we don't do this, we could be
    referencing arbitrary kernel memory as an XFS inode. THis could lead
    to memory corruption and/or performing locking operations on
    attacker-chosen structures in kernel memory.
    
    [dchinner: rewrite commit message ]
    [dchinner: add comment explaining new check ]
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
    Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
    
    7f1b6245
xfs_ioctl.c 42.7 KB