From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Date: Mon, 19 Jul 2010 20:58:20 +0000 (-0400)
Subject: Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
X-Git-Tag: v2.6.35-rc6~27^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ebc3464781ad24474abcbd2274e6254689853b5;p=pandora-kernel.git

Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE

1.  The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.

2.  The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around).  I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't.  Even if it's not
exploitable, it couldn't hurt to be safe.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
cc: stable@kernel.org
Signed-off-by: Chris Mason <chris.mason@oracle.com>
---

Reading git-diff-tree failed