Hello. I've found a small bug in what appears to be the maximum file
size handling code.
The problem here, as far as I understand, is that casting from an
unsigned type to a signed type, when the latter cannot represent the
arithmetic value of the former, is UB. In practice, under the PaX size
overflow protection, this code crashes when mounting from FreeBSD
servers that send "all ones" in the size field.
Not sure I'm doing things right with the list and I'm not subscribed, so
please CC.
The fix should look something like this:
--- fs/nfs/internal.h.orig 2015-11-02 10:05:25.000000000 +1000
+++ fs/nfs/internal.h 2016-01-02 03:19:04.599120855 +1000
@@ -612,9 +612,9 @@
static inline
void nfs_super_set_maxbytes(struct super_block *sb, __u64 maxfilesize)
{
+ if (maxfilesize > MAX_LFS_FILESIZE || maxfilesize == 0)
+ maxfilesize = MAX_LFS_FILESIZE;
sb->s_maxbytes = (loff_t)maxfilesize;
- if (sb->s_maxbytes > MAX_LFS_FILESIZE || sb->s_maxbytes <= 0)
- sb->s_maxbytes = MAX_LFS_FILESIZE;
}
/*
-- AD
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
