| Message ID | 20191122085320.124560-6-cmaiolino@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Refactor ioctl_fibmap() internal interface | expand |
On Fri, Nov 22, 2019 at 09:53:20AM +0100, Carlos Maiolino wrote: > FIBMAP receives an integer from userspace which is then implicitly converted > into sector_t to be passed to bmap(). No check is made to ensure userspace > didn't send a negative block number, which can end up in an underflow, and > returning to userspace a corrupted block address. > > As a side-effect, the underflow caused by a negative block here, will > trigger the WARN() in iomap_bmap_actor(), which is how this issue was > first discovered. > > This is essentially a V2 of a patch I sent a while ago, reworded and > refactored to fit into this patchset. That last sentence should probably be removed. Otherwise: Reviewed-by: Christoph Hellwig <hch@lst.de>
diff --git a/fs/ioctl.c b/fs/ioctl.c index 6b589c873bc2..6b365b3eff70 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -64,6 +64,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p) if (error) return error; + if (ur_block < 0) + return -EINVAL; + block = ur_block; error = bmap(inode, &block);
FIBMAP receives an integer from userspace which is then implicitly converted into sector_t to be passed to bmap(). No check is made to ensure userspace didn't send a negative block number, which can end up in an underflow, and returning to userspace a corrupted block address. As a side-effect, the underflow caused by a negative block here, will trigger the WARN() in iomap_bmap_actor(), which is how this issue was first discovered. This is essentially a V2 of a patch I sent a while ago, reworded and refactored to fit into this patchset. Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> --- fs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+)