| Message ID | tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow | expand |
On 10/9/24 11:05 PM, Edward Adam Davis wrote: > Syzbot reported a kernel BUG in ocfs2_truncate_inline. > There are two reasons for this: first, the parameter value passed is greater > than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline > are "unsigned int". > > So, we need to add a sanity check for offset and len in ocfs2_fallocate, if > they are greater than UINT_MAX return -EFBIG. fallocate should accept loff_t (aka long long) offset and len. I guess the reported bug is caused by a crafted image, which set overflow offset and len in case of inline data (with flag OCFS2_INLINE_DATA_FL set). So IMO, the right place to add a sanity check is right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(). Thanks, Joseph > > Reported-and-tested-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7 > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > fs/ocfs2/file.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c > index ad131a2fc58e..ed26ec8ac6b6 100644 > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -2117,6 +2117,9 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, > return ret; > } > > + if (offset > UINT_MAX || offset + len > UINT_MAX) > + return -EFBIG; > + > if (mode & FALLOC_FL_PUNCH_HOLE) > cmd = OCFS2_IOC_UNRESVSP64; >
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index ad131a2fc58e..ed26ec8ac6b6 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -2117,6 +2117,9 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, return ret; } + if (offset > UINT_MAX || offset + len > UINT_MAX) + return -EFBIG; + if (mode & FALLOC_FL_PUNCH_HOLE) cmd = OCFS2_IOC_UNRESVSP64;
Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for offset and len in ocfs2_fallocate, if they are greater than UINT_MAX return -EFBIG. Reported-and-tested-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7 Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/ocfs2/file.c | 3 +++ 1 file changed, 3 insertions(+)