• Jann Horn's avatar
    CIFS: fix type confusion in copy offload ioctl · ae1ba911
    Jann Horn authored
    commit 4c17a6d5 upstream.
    
    This might lead to local privilege escalation (code execution as
    kernel) for systems where the following conditions are met:
    
     - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
     - a cifs filesystem is mounted where:
      - the mount option "vers" was used and set to a value >=2.0
      - the attacker has write access to at least one file on the filesystem
    
    To attack this, an attacker would have to guess the target_tcon
    pointer (but guessing wrong doesn't cause a crash, it just returns an
    error code) and win a narrow race.
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Signed-off-by: default avatarSteve French <smfrench@gmail.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    ae1ba911
ioctl.c 6.3 KB