On Wed, 2009-07-22 at 15:51 +0200, Johannes Weiner wrote:
> > Any of these patches will fix the immediate problem, but I think this
> > code in do_sendfile should still account for the possibility that
> > someone can set the value larger than MAX_LFS_FILESIZE. An alternative
> > is to consider a WARN at mount time when filesystems set s_maxbytes
> > larger than that value (that might help catch out of tree filesystems
> > that get this wrong and prevent this sort of silent bug in the future).
>
> Isn't MAX_LFS_FILESIZE by definition the maximum sensible value for
> s_maxbytes?
>
Pretty much, but nothing seems to enforce it or let you know when you've
exceeded it. It sort of seems like s_maxbytes ought to be loff_t or
something instead of an unsigned long long. A negative value there
wouldn't make much sense, but no one would be as tempted to set it
higher than MAX_LFS_FILESIZE.
> > Either way, the patch I posted for this isn't sufficient since there are
> > some checks that need to be done against the signed values (the
> > (pos < 0) check, for instance). I'll post a respun patch in a bit that
> > should fix up those problems.
>
> That is already handled in rw_verify_area(), I think, so we should be
> able to drop it completely.
If we get rid of those checks altogether, then "max" will become unused.
Is that really OK here?
For discussion purposes, I've attached a replacement patch that I'm
working with now.
--
Jeff Layton <jlayton@xxxxxxxxxx>
>From 00a22f2f1e34ba0765ca49120499e681477a265a Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@xxxxxxxxxx>
Date: Wed, 22 Jul 2009 08:36:22 -0400
Subject: [PATCH] fix offset checks in do_sendfile to use unsigned values (try #2)
This is the second version of this patch. Some of the checks do need
to use signed values. This patch should be more correct in that regard.
This also adds a check to make sure that "pos + count" doesn't
overflow.
If do_sendfile is called with a "max" value of 0, it grabs the lesser
s_maxbytes value of the two superblocks to use instead. There's a
problem here however. s_maxbytes is an unsigned long long and it gets
cast to a signed value. If both s_maxbytes values are large enough, max
will end up being negative and the comparisons in this code won't work
correctly.
Change do_sendfile to use unsigned values internally for the offset
checks against "max".
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/read_write.c | 21 ++++++++++++---------
1 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/fs/read_write.c b/fs/read_write.c
index 6c8c55d..2c5b402 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -788,11 +788,11 @@ SYSCALL_DEFINE5(pwritev, unsigned long, fd, const struct iovec __user *, vec,
}
static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
- size_t count, loff_t max)
+ size_t count, unsigned long long max)
{
struct file * in_file, * out_file;
struct inode * in_inode, * out_inode;
- loff_t pos;
+ unsigned long long pos, newpos;
ssize_t retval;
int fput_needed_in, fput_needed_out, fl;
@@ -835,14 +835,16 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
goto fput_out;
count = retval;
- if (!max)
- max = min(in_inode->i_sb->s_maxbytes, out_inode->i_sb->s_maxbytes);
-
- pos = *ppos;
retval = -EINVAL;
- if (unlikely(pos < 0))
+ if (unlikely(*ppos < 0))
goto fput_out;
- if (unlikely(pos + count > max)) {
+
+ if (!max)
+ max = min(in_inode->i_sb->s_maxbytes,
+ out_inode->i_sb->s_maxbytes);
+ pos = (unsigned long long) *ppos;
+ newpos = pos + count;
+ if (unlikely(newpos > max || newpos < count)) {
retval = -EOVERFLOW;
if (pos >= max)
goto fput_out;
@@ -869,7 +871,8 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
inc_syscr(current);
inc_syscw(current);
- if (*ppos > max)
+ pos = (unsigned long long) *ppos;
+ if (pos > max)
retval = -EOVERFLOW;
fput_out:
--
1.6.2.5
