author | Daniel Rosenberg <drosen@google.com> | 2018-07-20 23:11:40 (GMT) |
---|---|---|
committer | Wencai You <wencai.you@amlogic.com> | 2019-03-13 06:43:12 (GMT) |
commit | e5805b4410dcacbc9e11b6dc75368375b848e22d (patch) | |
tree | 470c5a40abf923d484d4890e0c0716180ef2b131 | |
parent | 009354756a2ee7719d2002aa5243040c206a02d2 (diff) | |
download | common-e5805b4410dcacbc9e11b6dc75368375b848e22d.zip common-e5805b4410dcacbc9e11b6dc75368375b848e22d.tar.gz common-e5805b4410dcacbc9e11b6dc75368375b848e22d.tar.bz2 |
ANDROID: sdcardfs: Change current->fs under lock
PD#SWPL-5666
Problem:
STS test fail
testPocCVE_2018_9515
Solution:
bug: 111641492 from security
Verify:
U212
Change-Id: I79e9894f94880048edaf0f7cfa2d180f65cbcf3b
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Rosenberg <drosen@google.com>
-rw-r--r-- | fs/sdcardfs/inode.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/sdcardfs/inode.c b/fs/sdcardfs/inode.c index 84df23ac0..57bdc68 100644 --- a/fs/sdcardfs/inode.c +++ b/fs/sdcardfs/inode.c @@ -95,8 +95,10 @@ static int sdcardfs_create(struct inode *dir, struct dentry *dentry, err = -ENOMEM; goto out_unlock; } + copied_fs->umask = 0; + task_lock(current); current->fs = copied_fs; - current->fs->umask = 0; + task_unlock(current); err = vfs_create2(lower_dentry_mnt, d_inode(lower_parent_dentry), lower_dentry, mode, want_excl); if (err) goto out; @@ -110,7 +112,9 @@ static int sdcardfs_create(struct inode *dir, struct dentry *dentry, fixup_lower_ownership(dentry, dentry->d_name.name); out: + task_lock(current); current->fs = saved_fs; + task_unlock(current); free_fs_struct(copied_fs); out_unlock: unlock_dir(lower_parent_dentry); @@ -316,8 +320,10 @@ static int sdcardfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode unlock_dir(lower_parent_dentry); goto out_unlock; } + copied_fs->umask = 0; + task_lock(current); current->fs = copied_fs; - current->fs->umask = 0; + task_unlock(current); err = vfs_mkdir2(lower_mnt, d_inode(lower_parent_dentry), lower_dentry, mode); if (err) { @@ -377,7 +383,10 @@ static int sdcardfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode } } out: + task_lock(current); current->fs = saved_fs; + task_unlock(current); + free_fs_struct(copied_fs); out_unlock: sdcardfs_put_lower_path(dentry, &lower_path); |