android_kernel_xiaomi_sm8350/fs/btrfs
Dan Rosenberg 2ebc346478 Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
1.  The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.

2.  The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around).  I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't.  Even if it's not
exploitable, it couldn't hurt to be safe.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
cc: stable@kernel.org
Signed-off-by: Chris Mason <chris.mason@oracle.com>
2010-07-19 16:58:20 -04:00
..
acl.c Btrfs: handle ERR_PTR from posix_acl_from_xattr() 2010-06-11 15:57:39 -04:00
async-thread.c Btrfs: don't walk around with task->state != TASK_RUNNING 2010-05-25 10:34:58 -04:00
async-thread.h Btrfs: fix deadlock on async thread startup 2009-10-05 09:44:45 -04:00
btrfs_inode.h Btrfs: Metadata reservation for orphan inodes 2010-05-25 10:34:52 -04:00
compat.h
compression.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable 2010-04-05 13:21:15 -07:00
compression.h
ctree.c Btrfs: fix split_leaf double split corner case 2010-07-19 16:14:50 -04:00
ctree.h Btrfs: add basic DIO read/write support 2010-05-25 10:34:57 -04:00
delayed-ref.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
delayed-ref.h Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
dir-item.c Btrfs: Pass transaction handle to security and ACL initialization functions 2009-12-17 12:33:34 -05:00
disk-io.c Btrfs: btrfs_read_fs_root_no_name() returns ERR_PTRs 2010-06-11 15:57:36 -04:00
disk-io.h Btrfs: use async helpers for DIO write checksumming 2010-05-25 10:34:58 -04:00
export.c Btrfs: change how we mount subvolumes 2010-03-15 10:58:13 -04:00
export.h
extent_io.c Btrfs: rework O_DIRECT enospc handling 2010-05-25 21:52:08 -04:00
extent_io.h Btrfs: rework O_DIRECT enospc handling 2010-05-25 21:52:08 -04:00
extent_map.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
extent_map.h Btrfs: search for an allocation hint while filling file COW 2009-09-18 16:08:52 -04:00
extent-tree.c Btrfs: Fix BUG_ON for fs converted from extN 2010-06-11 15:48:35 -04:00
file-item.c Btrfs: add basic DIO read/write support 2010-05-25 10:34:57 -04:00
file.c Btrfs: The file argument for fsync() is never null 2010-06-11 15:57:40 -04:00
free-space-cache.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
free-space-cache.h
hash.h
inode-item.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
inode-map.c Btrfs: do not reuse objectid of deleted snapshot/subvol 2009-09-21 15:56:00 -04:00
inode.c Btrfs: uninitialized data is check_path_shared() 2010-06-11 11:46:12 -04:00
ioctl.c Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE 2010-07-19 16:58:20 -04:00
ioctl.h Btrfs: use __u64 types in ioctl.h 2010-03-16 14:24:27 -04:00
Kconfig Revert "task_struct: make journal_info conditional" 2009-12-17 13:23:24 -08:00
locking.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
locking.h
Makefile
ordered-data.c Btrfs: add basic DIO read/write support 2010-05-25 10:34:57 -04:00
ordered-data.h Btrfs: add basic DIO read/write support 2010-05-25 10:34:57 -04:00
orphan.c Btrfs: change how subvolumes are organized 2009-09-21 15:56:00 -04:00
print-tree.c
print-tree.h
ref-cache.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ref-cache.h Btrfs: use RB_ROOT to intialize rb_trees instead of setting rb_node to NULL 2010-03-08 16:26:50 -05:00
relocation.c Btrfs: Fix null dereference in relocation.c 2010-06-11 15:48:34 -04:00
root-tree.c Btrfs: avoid BUG when dropping root and reference in same transaction 2010-06-11 15:57:39 -04:00
struct-funcs.c
super.c Btrfs: btrfs_iget() returns ERR_PTR 2010-06-11 15:57:35 -04:00
sysfs.c Driver core: Constify struct sysfs_ops in struct kobj_type 2010-03-07 17:04:49 -08:00
transaction.c Btrfs: don't walk around with task->state != TASK_RUNNING 2010-05-25 10:34:58 -04:00
transaction.h Btrfs: Introduce global metadata reservation 2010-05-25 10:34:52 -04:00
tree-defrag.c Btrfs: Introduce global metadata reservation 2010-05-25 10:34:52 -04:00
tree-log.c Btrfs: Metadata ENOSPC handling for tree log 2010-05-25 10:34:53 -04:00
tree-log.h Btrfs: Metadata ENOSPC handling for tree log 2010-05-25 10:34:53 -04:00
version.h
version.sh
volumes.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
volumes.h Btrfs: make balance code choose more wisely when relocating 2009-09-21 19:23:48 -04:00
xattr.c Btrfs: Integrate metadata reservation with start_transaction 2010-05-25 10:34:50 -04:00
xattr.h Btrfs: Pass transaction handle to security and ACL initialization functions 2009-12-17 12:33:34 -05:00
zlib.c