Re: [PATCH v2 4/8] vfs: add missing checks to copy_file_range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 28, 2019 at 07:26:29PM +0300, Amir Goldstein wrote:
> On Tue, May 28, 2019 at 7:18 PM Darrick J. Wong <darrick.wong@xxxxxxxxxx> wrote:
> >
> > On Sun, May 26, 2019 at 09:10:55AM +0300, Amir Goldstein wrote:
> > > Like the clone and dedupe interfaces we've recently fixed, the
> > > copy_file_range() implementation is missing basic sanity, limits and
> > > boundary condition tests on the parameters that are passed to it
> > > from userspace. Create a new "generic_copy_file_checks()" function
> > > modelled on the generic_remap_checks() function to provide this
> > > missing functionality.
> > >
> > > [Amir] Shorten copy length instead of checking pos_in limits
> > > because input file size already abides by the limits.
> > >
> > > Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
> > > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
> > > ---
> > >  fs/read_write.c    |  3 ++-
> > >  include/linux/fs.h |  3 +++
> > >  mm/filemap.c       | 53 ++++++++++++++++++++++++++++++++++++++++++++++
> > >  3 files changed, 58 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/fs/read_write.c b/fs/read_write.c
> > > index f1900bdb3127..b0fb1176b628 100644
> > > --- a/fs/read_write.c
> > > +++ b/fs/read_write.c
> > > @@ -1626,7 +1626,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
> > >       if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
> > >               return -EXDEV;
> > >
> > > -     ret = generic_file_rw_checks(file_in, file_out);
> > > +     ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len,
> > > +                                    flags);
> > >       if (unlikely(ret))
> > >               return ret;
> > >
> > > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > > index 89b9b73eb581..e4d382c4342a 100644
> > > --- a/include/linux/fs.h
> > > +++ b/include/linux/fs.h
> > > @@ -3050,6 +3050,9 @@ extern int generic_remap_checks(struct file *file_in, loff_t pos_in,
> > >                               struct file *file_out, loff_t pos_out,
> > >                               loff_t *count, unsigned int remap_flags);
> > >  extern int generic_file_rw_checks(struct file *file_in, struct file *file_out);
> > > +extern int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
> > > +                                 struct file *file_out, loff_t pos_out,
> > > +                                 size_t *count, unsigned int flags);
> > >  extern ssize_t generic_file_read_iter(struct kiocb *, struct iov_iter *);
> > >  extern ssize_t __generic_file_write_iter(struct kiocb *, struct iov_iter *);
> > >  extern ssize_t generic_file_write_iter(struct kiocb *, struct iov_iter *);
> > > diff --git a/mm/filemap.c b/mm/filemap.c
> > > index 798aac92cd76..1852fbf08eeb 100644
> > > --- a/mm/filemap.c
> > > +++ b/mm/filemap.c
> > > @@ -3064,6 +3064,59 @@ int generic_file_rw_checks(struct file *file_in, struct file *file_out)
> > >       return 0;
> > >  }
> > >
> > > +/*
> > > + * Performs necessary checks before doing a file copy
> > > + *
> > > + * Can adjust amount of bytes to copy
> >
> > That's the @req_count parameter, correct?
> 
> Correct. Same as generic_remap_checks()

Ok.  Would you mind updating the comment?

> >
> > > + * Returns appropriate error code that caller should return or
> > > + * zero in case the copy should be allowed.
> > > + */
> > > +int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
> > > +                          struct file *file_out, loff_t pos_out,
> > > +                          size_t *req_count, unsigned int flags)
> > > +{
> > > +     struct inode *inode_in = file_inode(file_in);
> > > +     struct inode *inode_out = file_inode(file_out);
> > > +     uint64_t count = *req_count;
> > > +     loff_t size_in;
> > > +     int ret;
> > > +
> > > +     ret = generic_file_rw_checks(file_in, file_out);
> > > +     if (ret)
> > > +             return ret;
> > > +
> > > +     /* Don't touch certain kinds of inodes */
> > > +     if (IS_IMMUTABLE(inode_out))
> > > +             return -EPERM;
> > > +
> > > +     if (IS_SWAPFILE(inode_in) || IS_SWAPFILE(inode_out))
> > > +             return -ETXTBSY;
> > > +
> > > +     /* Ensure offsets don't wrap. */
> > > +     if (pos_in + count < pos_in || pos_out + count < pos_out)
> > > +             return -EOVERFLOW;
> > > +
> > > +     /* Shorten the copy to EOF */
> > > +     size_in = i_size_read(inode_in);
> > > +     if (pos_in >= size_in)
> > > +             count = 0;
> > > +     else
> > > +             count = min(count, size_in - (uint64_t)pos_in);
> >
> > Do we need a call to generic_access_check_limits(file_in...) here to
> > prevent copies from ranges that the page cache doesn't support?
> 
> No. Because i_size cannot be of an illegal size and we cap
> the read to i_size.
> I also removed generic_access_check_limits() from generic_remap_checks()
> for a similar reason in patch #8.

<nod>

--D

> Thanks,
> Amir.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux