[6/8] xfs_io: fix copy_file_range length argument overflow

Commit Message

Darrick J. Wong Jan. 24, 2020, 12:17 a.m. UTC

From: Darrick J. Wong <darrick.wong@oracle.com>

Don't let the length argument overflow size_t.  This is mostly a problem
on 32-bit platforms.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 io/copy_file_range.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

Comments

Christoph Hellwig Jan. 25, 2020, 11:18 p.m. UTC | #1

On Thu, Jan 23, 2020 at 04:17:11PM -0800, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
> 
> Don't let the length argument overflow size_t.  This is mostly a problem
> on 32-bit platforms.
> 
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Patch

diff --git a/io/copy_file_range.c b/io/copy_file_range.c
index 800b98da..fb5702e1 100644
--- a/io/copy_file_range.c
+++ b/io/copy_file_range.c
@@ -71,6 +71,7 @@  copy_range_f(int argc, char **argv)
 {
 	long long src_off = 0;
 	long long dst_off = 0;
+	long long llen;
 	size_t len = 0;
 	bool len_specified = false;
 	int opt;
@@ -99,11 +100,21 @@  copy_range_f(int argc, char **argv)
 			}
 			break;
 		case 'l':
-			len = cvtnum(fsblocksize, fssectsize, optarg);
-			if (len == -1LL) {
+			llen = cvtnum(fsblocksize, fssectsize, optarg);
+			if (llen == -1LL) {
 				printf(_("invalid length -- %s\n"), optarg);
 				return 0;
 			}
+			/*
+			 * If size_t can't hold what's in llen, report a
+			 * length overflow.
+			 */
+			if ((size_t)llen != llen) {
+				errno = EOVERFLOW;
+				perror("copy_range");
+				return 0;
+			}
+			len = llen;
 			len_specified = true;
 			break;
 		case 'f':