UBUNTU: SAUCE: shiftfs: support copy_file_range on btrfs through ioctl()
Unprivileged user can use FICLONE so we need to support it in btrfs as
well to prevent workload regression.
FICLONE first appeared in Linux 4.5. It was previously known as
BTRFS_IOC_CLONE, and were private to Btrfs.
Signed-off-by: Christian Brauner <email address hidden>
UBUNTU: SAUCE: shiftfs: allow changing ro/rw for subvolumes
Unprivileged users can already toggle whether a subvolume will be ro or
rw. To enable this with shiftfs we need to whitelist BTRFS_IOC_FS_INFO,
BTRFS_IOC_SUBVOL_GETFLAGS, BTRFS_IOC_SUBVOL_SETFLAGS. All of them should
be safe for unprivileged users.
Signed-off-by: Christian Brauner <email address hidden>
In 58441dc86d7b the error "Unable to open file: ..." has been downgraded
to warning in the integrity/ima subsystem. Do the same for a similar
error message in the generic integrity subsystem.
syzbot was able to crash host by sending UDP packets with a 0 payload.
TCP does not have this issue since we do not aggregate packets without
payload.
Since dev_gro_receive() sets gso_size based on skb_gro_len(skb)
it seems not worth trying to cope with padded packets.
BUG: KASAN: slab-out-of-bounds in skb_gro_receive+0xf5f/0x10e0 net/core/skbuff.c:3826
Read of size 16 at addr ffff88808893fff0 by task syz-executor612/7889
The buggy address belongs to the object at ffff88808893f7c0
which belongs to the cache mm_struct of size 1496
The buggy address is located 600 bytes to the right of
1496-byte region [ffff88808893f7c0, ffff88808893fd98)
The buggy address belongs to the page:
page:ffffea0002224f80 count:1 mapcount:0 mapping:ffff88821bc40ac0 index:0xffff88808893f7c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025b4f08 ffffea00027b9d08 ffff88821bc40ac0
raw: ffff88808893f7c0 ffff88808893e440 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808893fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808893ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808893ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^
ffff888088940000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888088940080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
Signed-off-by: Eric Dumazet <email address hidden>
Cc: Paolo Abeni <email address hidden>
Reported-by: syzbot <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
CVE-2019-11683
(cherry picked from commit 4dd2b82d5adfbe0b1587ccad7a8f76d826120f37)
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Steve Beattie <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
Currently, the UDP GRO code path does bad things on some edge
conditions - Aggregation can happen even on packet with different
lengths.
Fix the above by rewriting the 'complete' condition for GRO
packets. While at it, note explicitly that we allow merging the
first packet per burst below gso_size.
Reported-by: Sean Tong <email address hidden>
Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
Signed-off-by: Paolo Abeni <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
CVE-2019-11683
(cherry picked from commit 21f1b8a6636c4dbde4aa1ec0343f42eaf653ffcc)
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Steve Beattie <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>