hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB5UKT
--------------------------------
We need to make sure that the type of request being completed matches the currently called function. In addition, the object corresponding to the cread fd should match the object corresponding to the request id. This prevents malicious processes from completing random copen/cread requests and crashing the system.
Signed-off-by: Baokun Li libaokun1@huawei.com --- fs/cachefiles/ondemand.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c index 0eb2160add45..544eba85b776 100644 --- a/fs/cachefiles/ondemand.c +++ b/fs/cachefiles/ondemand.c @@ -102,10 +102,14 @@ static long cachefiles_ondemand_fd_ioctl(struct file *filp, unsigned int ioctl,
id = arg; xa_lock(&cache->reqs); - req = radix_tree_delete(&cache->reqs, id); - xa_unlock(&cache->reqs); - if (!req) + req = radix_tree_lookup(&cache->reqs, id); + if (!req || req->msg.opcode != CACHEFILES_OP_READ || + req->object != object) { + xa_unlock(&cache->reqs); return -EINVAL; + } + radix_tree_delete(&cache->reqs, id); + xa_unlock(&cache->reqs);
complete(&req->done); return 0; @@ -155,10 +159,13 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) return ret;
xa_lock(&cache->reqs); - req = radix_tree_delete(&cache->reqs, id); - xa_unlock(&cache->reqs); - if (!req) + req = radix_tree_lookup(&cache->reqs, id); + if (!req || req->msg.opcode != CACHEFILES_OP_OPEN) { + xa_unlock(&cache->reqs); return -EINVAL; + } + radix_tree_delete(&cache->reqs, id); + xa_unlock(&cache->reqs);
/* fail OPEN request if copen format is invalid */ ret = kstrtol(psize, 0, &size);