UBUNTU: SAUCE: fs: fix UAF/GPF bug in nilfs_mdt_destroy
In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)
Link: https://lkml.<email address hidden>
Reported-by: butt3rflyh4ck <email address hidden>
Reported-by: Hao Sun <email address hidden>
Reported-by: Jiacheng Xu <email address hidden>
Reviewed-by: Christian Brauner (Microsoft) <email address hidden>
Signed-off-by: Dongliang Mu <email address hidden>
Cc: Al Viro <email address hidden>
Cc: <email address hidden>
Signed-off-by: Al Viro <email address hidden>
(cherry picked from commit dcd684c9aafe2ba01264c9f9d7480e16c89a3a4b linux-next.git)
CVE-2022-2978
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Paolo Pisati <email address hidden>
Verify that the fbdev or drm driver correctly adjusted the virtual
screen sizes. On failure report the failing driver and reject the screen
size change.
fbcon: Prevent that screen size is smaller than font size
We need to prevent that users configure a screen size which is smaller than the
currently selected font size. Otherwise rendering chars on the screen will
access memory outside the graphics memory region.
This patch adds a new function fbcon_modechange_possible() which
implements this check and which later may be extended with other checks
if necessary. The new function is called from the FBIOPUT_VSCREENINFO
ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
for a too small screen size.
fbcon: Disallow setting font bigger than screen size
Prevent that users set a font size which is bigger than the physical screen.
It's unlikely this may happen (because screens are usually much larger than the
fonts and each font char is limited to 32x32 pixels), but it may happen on
smaller screens/LCD displays.