[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220815180441.572481916@linuxfoundation.org>
Date: Mon, 15 Aug 2022 19:50:09 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, David Howells <dhowells@...hat.com>,
Jeff Layton <jlayton@...nel.org>,
Namjae Jeon <linkinjeon@...nel.org>, stable@...nel.org,
Alexander Viro <viro@...iv.linux.org.uk>,
Steve French <sfrench@...ba.org>,
Hyunchul Lee <hyc.lee@...il.com>,
Chuck Lever <chuck.lever@...cle.com>,
Dave Wysochanski <dwysocha@...hat.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH 5.19 0053/1157] vfs: Check the truncate maximum size in inode_newsize_ok()
From: David Howells <dhowells@...hat.com>
commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream.
If something manages to set the maximum file size to MAX_OFFSET+1, this
can cause the xfs and ext4 filesystems at least to become corrupt.
Ordinarily, the kernel protects against userspace trying this by
checking the value early in the truncate() and ftruncate() system calls
calls - but there are at least two places that this check is bypassed:
(1) Cachefiles will round up the EOF of the backing file to DIO block
size so as to allow DIO on the final block - but this might push
the offset negative. It then calls notify_change(), but this
inadvertently bypasses the checking. This can be triggered if
someone puts an 8EiB-1 file on a server for someone else to try and
access by, say, nfs.
(2) ksmbd doesn't check the value it is given in set_end_of_file_info()
and then calls vfs_truncate() directly - which also bypasses the
check.
In both cases, it is potentially possible for a network filesystem to
cause a disk filesystem to be corrupted: cachefiles in the client's
cache filesystem; ksmbd in the server's filesystem.
nfsd is okay as it checks the value, but we can then remove this check
too.
Fix this by adding a check to inode_newsize_ok(), as called from
setattr_prepare(), thereby catching the issue as filesystems set up to
perform the truncate with minimal opportunity for bypassing the new
check.
Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling")
Fixes: f44158485826 ("cifsd: add file operations")
Signed-off-by: David Howells <dhowells@...hat.com>
Reported-by: Jeff Layton <jlayton@...nel.org>
Tested-by: Jeff Layton <jlayton@...nel.org>
Reviewed-by: Namjae Jeon <linkinjeon@...nel.org>
Cc: stable@...nel.org
Acked-by: Alexander Viro <viro@...iv.linux.org.uk>
cc: Steve French <sfrench@...ba.org>
cc: Hyunchul Lee <hyc.lee@...il.com>
cc: Chuck Lever <chuck.lever@...cle.com>
cc: Dave Wysochanski <dwysocha@...hat.com>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
fs/attr.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare);
*/
int inode_newsize_ok(const struct inode *inode, loff_t offset)
{
+ if (offset < 0)
+ return -EINVAL;
if (inode->i_size < offset) {
unsigned long limit;
Powered by blists - more mailing lists