fs/xattr.c: zero out memory copied to userspace in getxattr
getxattr uses vmalloc to allocate memory if kzalloc fails. This is
filled by vfs_getxattr and then copied to the userspace. vmalloc,
however, doesn't zero out the memory so if the specific implementation
of the xattr handler is sloppy we can theoretically expose a kernel
memory. There is no real sign this is really the case but let's make
sure this will not happen and use vzalloc instead.
Fixes: 779302e678
("fs/xattr.c:getxattr(): improve handling of allocation failures")
Link: http://lkml.kernel.org/r/20170306103327.2766-1-mhocko@kernel.org
Acked-by: Kees Cook <keescook@chromium.org>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org> [3.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
847f716f9e
commit
81be3dee96
@ -530,7 +530,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
|
|||||||
size = XATTR_SIZE_MAX;
|
size = XATTR_SIZE_MAX;
|
||||||
kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
|
kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
|
||||||
if (!kvalue) {
|
if (!kvalue) {
|
||||||
kvalue = vmalloc(size);
|
kvalue = vzalloc(size);
|
||||||
if (!kvalue)
|
if (!kvalue)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user