diff options
| author | Jann Horn <jann@thejh.net> | 2015-09-11 16:27:27 +0200 |
|---|---|---|
| committer | Steve French <smfrench@gmail.com> | 2015-09-11 09:54:03 -0500 |
| commit | 4c17a6d56bb0cad3066a714e94f7185a24b40f49 (patch) | |
| tree | cbd5fe9b42e01ef05f8e4fa0298c0a82c2180d44 /fs/notify/inotify | |
| parent | b0a1ea51bda4c2bcdde460221e1772f3a4f8c44f (diff) | |
| download | linux-4c17a6d56bb0cad3066a714e94f7185a24b40f49.tar.gz | |
CIFS: fix type confusion in copy offload ioctl
This might lead to local privilege escalation (code execution as kernel) for systems where the following conditions are met: - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled - a cifs filesystem is mounted where: - the mount option "vers" was used and set to a value >=2.0 - the attacker has write access to at least one file on the filesystem To attack this, an attacker would have to guess the target_tcon pointer (but guessing wrong doesn't cause a crash, it just returns an error code) and win a narrow race. CC: Stable <stable@vger.kernel.org> Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Steve French <smfrench@gmail.com>
Diffstat (limited to 'fs/notify/inotify')
0 files changed, 0 insertions, 0 deletions