From patchwork Tue Apr 17 05:39:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 10344383 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 577AE60542 for ; Tue, 17 Apr 2018 05:39:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47A77289AA for ; Tue, 17 Apr 2018 05:39:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C685289AC; Tue, 17 Apr 2018 05:39:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8DDD4289AA for ; Tue, 17 Apr 2018 05:39:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750790AbeDQFjM (ORCPT ); Tue, 17 Apr 2018 01:39:12 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:54146 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750764AbeDQFjM (ORCPT ); Tue, 17 Apr 2018 01:39:12 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3H5aUqO110741; Tue, 17 Apr 2018 05:39:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=ruAi/7jgCF0oR+dFpPytoYFZwlOJROhs7Snx61Qc9ig=; b=HNT0ZswQZDJ6+PHIsK+AXuyxrlKESX5tSCf9sH6yLtlDSf+/7WY/VC7zkQoDBtOdlOiK hKylF+yZvisCrICkQH3kcXn5rNoRzZXeq8jze+6qOm6HFZ94gxCqPKnNrgyTe1RwoDLA wCKZkMrzEUk7XqZNTzLuEQqXqFhH33vDeOrUJho9kA7COapbOx5dVFFijlIUiMdhGPCw IqLOFA6mTBqU9EWEOz1G302u/nnKVzrr8FxWSvcprSwljjKF7DAlz7i6qc3TBmw5732j 5mVPAUrn4CM1IqWIBHtH02QsTHeR2Uf5A0FMHLss8oZYFB3Uc5gVgLVaTcUyMWhYYBME 8A== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2hbam582cw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 17 Apr 2018 05:39:09 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w3H5d94b000510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 17 Apr 2018 05:39:09 GMT Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w3H5d99Q022065; Tue, 17 Apr 2018 05:39:09 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 16 Apr 2018 22:39:08 -0700 Date: Mon, 16 Apr 2018 22:39:07 -0700 From: "Darrick J. Wong" To: Eric Biggers Cc: linux-xfs@vger.kernel.org, Eric Biggers Subject: [PATCH v2] xfs: prevent creating negative-sized file via INSERT_RANGE Message-ID: <20180417053907.GE5203@magnolia> References: <20180416204630.177682-1-ebiggers3@gmail.com> <20180417005218.GC5203@magnolia> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180417005218.GC5203@magnolia> User-Agent: Mutt/1.5.24 (2015-08-30) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8865 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804170050 Sender: linux-xfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP How about this instead? --D Reviewed-by: Christoph Hellwig --- From: Eric Biggers During the "insert range" fallocate operation, i_size grows by the specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as it should. But this comparison is done using the signed 'loff_t', and 'i_size + len' can wrap around to a negative value, causing the check to incorrectly pass, resulting in an inode with "negative" i_size. This is possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX. ext4 and f2fs don't run into this because they set a smaller s_maxbytes. Fix it by doing an unsigned comparison instead. Reproducer: xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096" Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: # v4.1+ Signed-off-by: Eric Biggers Reviewed-by: Darrick J. Wong [darrick: rearrange this whole function to use subtraction to avoid overflow of the signed integer addition] Signed-off-by: Darrick J. Wong --- fs/xfs/xfs_file.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c index 9fd9dd7..a385334 100644 --- a/fs/xfs/xfs_file.c +++ b/fs/xfs/xfs_file.c @@ -779,21 +779,27 @@ xfs_file_fallocate( goto out_unlock; } else if (mode & FALLOC_FL_INSERT_RANGE) { unsigned int blksize_mask = i_blocksize(inode) - 1; + loff_t isize; - new_size = i_size_read(inode) + len; - if (offset & blksize_mask || len & blksize_mask) { - error = -EINVAL; + isize = i_size_read(inode); + + /* + * New inode size must not exceed ->s_maxbytes, accounting for + * possible signed overflow. + */ + if (inode->i_sb->s_maxbytes - isize < len) { + error = -EFBIG; goto out_unlock; } - /* check the new inode size does not wrap through zero */ - if (new_size > inode->i_sb->s_maxbytes) { - error = -EFBIG; + if (offset & blksize_mask || len & blksize_mask) { + error = -EINVAL; goto out_unlock; } + new_size = isize + len; /* Offset should be less than i_size */ - if (offset >= i_size_read(inode)) { + if (offset >= isize) { error = -EINVAL; goto out_unlock; }