On Mon, Feb 18, 2019 at 3:23 AM Arijit Banerjee
<arijit.banerjee@xxxxxxxxxx> wrote:
>
> If a filesystem returns negative inode sizes,
> future reads on the file were causing the cpu
> to spin on truncate_pagecache. This seems like
> invalid behaviour as a buggy / malicious
> filesystem can cause a lockup.
>
> This patch checks for negative sizes before
> truncating the page cache.
>
> Signed-off-by: Arijit Banerjee <arijit@xxxxxxxxxx>
> ---
> fs/fuse/inode.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 1b3f3b6..5744d16 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -236,7 +236,9 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
> bool inval = false;
>
> if (oldsize != attr->size) {
> - truncate_pagecache(inode, attr->size);
> + if ((off_t)attr->size >= 0)
> + truncate_pagecache(inode, attr->size);
> +
Hi,
Thanks for the report and patch.
I'd fix it differently: passing a negative size should be invalid
entirely, so we should validate attr.size before calling
fuse_change_attributes...() and return -EIO, just like in case of an
invalid attr.mode. Do you agree?
E.g. implement a new function: fuse_validate_attr() that returns false
if some attribute is invalid. We possibly need to look at other
attributes as well for invalid values.
Thanks,
Miklos
