linux/net/sunrpc
Sasha Levin 212ba90696 SUNRPC: Prevent kernel stack corruption on long values of flush
The buffer size in read_flush() is too small for the longest possible values
for it. This can lead to a kernel stack corruption:

[   43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4
[   43.047329]
[   43.049030] Pid: 6015, comm: trinity-child18 Tainted: G        W    3.5.0-rc7-next-20120716-sasha #221
[   43.050038] Call Trace:
[   43.050435]  [<ffffffff836c60c2>] panic+0xcd/0x1f4
[   43.050931]  [<ffffffff833e64b4>] ? read_flush.isra.7+0xe4/0x100
[   43.051602]  [<ffffffff810e94e6>] __stack_chk_fail+0x16/0x20
[   43.052206]  [<ffffffff833e64b4>] read_flush.isra.7+0xe4/0x100
[   43.052951]  [<ffffffff833e6500>] ? read_flush_pipefs+0x30/0x30
[   43.053594]  [<ffffffff833e652c>] read_flush_procfs+0x2c/0x30
[   43.053596]  [<ffffffff812b9a8c>] proc_reg_read+0x9c/0xd0
[   43.053596]  [<ffffffff812b99f0>] ? proc_reg_write+0xd0/0xd0
[   43.053596]  [<ffffffff81250d5b>] do_loop_readv_writev+0x4b/0x90
[   43.053596]  [<ffffffff81250fd6>] do_readv_writev+0xf6/0x1d0
[   43.053596]  [<ffffffff812510ee>] vfs_readv+0x3e/0x60
[   43.053596]  [<ffffffff812511b8>] sys_readv+0x48/0xb0
[   43.053596]  [<ffffffff8378167d>] system_call_fastpath+0x1a/0x1f

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-10-17 14:59:10 -04:00
..
auth_gss SUNRPC: Use __func__ in dprintk() in auth_gss.c 2012-10-01 15:32:02 -07:00
xprtrdma Merge branch 'for-3.7' of git://linux-nfs.org/~bfields/linux 2012-10-13 10:53:54 +09:00
Kconfig nfs: enable swap on NFS 2012-07-31 18:42:48 -07:00
Makefile
addr.c
auth.c SUNRPC: Add rpcauth_list_flavors() 2012-07-16 15:12:15 -04:00
auth_generic.c
auth_null.c
auth_unix.c
backchannel_rqst.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
bc_svc.c
cache.c SUNRPC: Prevent kernel stack corruption on long values of flush 2012-10-17 14:59:10 -04:00
clnt.c SUNRPC: Introduce rpc_clone_client_set_auth() 2012-10-01 15:33:33 -07:00
netns.h
rpc_pipe.c SUNRPC: Clean up dprintk messages in rpc_pipe.c 2012-10-01 15:31:57 -07:00
rpcb_clnt.c SUNRPC: return negative value in case rpcbind client creation error 2012-07-30 20:39:05 -04:00
sched.c SUNRPC: Limit the rpciod workqueue concurrency 2012-09-28 20:24:16 -04:00
socklib.c
stats.c
sunrpc.h
sunrpc_syms.c
svc.c
svc_xprt.c svcrpc: split up svc_handle_xprt 2012-08-21 17:42:02 -04:00
svcauth.c
svcauth_unix.c ipv6: add ipv6_addr_hash() helper 2012-07-18 11:28:46 -07:00
svcsock.c nfsd: remove unused listener-removal interfaces 2012-09-10 10:55:19 -04:00
sysctl.c
timer.c
xdr.c SUNRPC: Optimise away unnecessary data moves in xdr_align_pages 2012-09-28 15:58:42 -04:00
xprt.c SUNRPC: Get rid of the redundant xprt->shutdown bit field 2012-09-28 16:03:05 -04:00
xprtsock.c SUNRPC: Get rid of the redundant xprt->shutdown bit field 2012-09-28 16:03:05 -04:00