Re: [PATCH v2 4/8] vfs: add missing checks to copy_file_range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 28, 2019 at 7:18 PM Darrick J. Wong <darrick.wong@xxxxxxxxxx> wrote:
>
> On Sun, May 26, 2019 at 09:10:55AM +0300, Amir Goldstein wrote:
> > Like the clone and dedupe interfaces we've recently fixed, the
> > copy_file_range() implementation is missing basic sanity, limits and
> > boundary condition tests on the parameters that are passed to it
> > from userspace. Create a new "generic_copy_file_checks()" function
> > modelled on the generic_remap_checks() function to provide this
> > missing functionality.
> >
> > [Amir] Shorten copy length instead of checking pos_in limits
> > because input file size already abides by the limits.
> >
> > Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
> > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
> > ---
> >  fs/read_write.c    |  3 ++-
> >  include/linux/fs.h |  3 +++
> >  mm/filemap.c       | 53 ++++++++++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 58 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/read_write.c b/fs/read_write.c
> > index f1900bdb3127..b0fb1176b628 100644
> > --- a/fs/read_write.c
> > +++ b/fs/read_write.c
> > @@ -1626,7 +1626,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
> >       if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb)
> >               return -EXDEV;
> >
> > -     ret = generic_file_rw_checks(file_in, file_out);
> > +     ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len,
> > +                                    flags);
> >       if (unlikely(ret))
> >               return ret;
> >
> > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > index 89b9b73eb581..e4d382c4342a 100644
> > --- a/include/linux/fs.h
> > +++ b/include/linux/fs.h
> > @@ -3050,6 +3050,9 @@ extern int generic_remap_checks(struct file *file_in, loff_t pos_in,
> >                               struct file *file_out, loff_t pos_out,
> >                               loff_t *count, unsigned int remap_flags);
> >  extern int generic_file_rw_checks(struct file *file_in, struct file *file_out);
> > +extern int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
> > +                                 struct file *file_out, loff_t pos_out,
> > +                                 size_t *count, unsigned int flags);
> >  extern ssize_t generic_file_read_iter(struct kiocb *, struct iov_iter *);
> >  extern ssize_t __generic_file_write_iter(struct kiocb *, struct iov_iter *);
> >  extern ssize_t generic_file_write_iter(struct kiocb *, struct iov_iter *);
> > diff --git a/mm/filemap.c b/mm/filemap.c
> > index 798aac92cd76..1852fbf08eeb 100644
> > --- a/mm/filemap.c
> > +++ b/mm/filemap.c
> > @@ -3064,6 +3064,59 @@ int generic_file_rw_checks(struct file *file_in, struct file *file_out)
> >       return 0;
> >  }
> >
> > +/*
> > + * Performs necessary checks before doing a file copy
> > + *
> > + * Can adjust amount of bytes to copy
>
> That's the @req_count parameter, correct?

Correct. Same as generic_remap_checks()

>
> > + * Returns appropriate error code that caller should return or
> > + * zero in case the copy should be allowed.
> > + */
> > +int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
> > +                          struct file *file_out, loff_t pos_out,
> > +                          size_t *req_count, unsigned int flags)
> > +{
> > +     struct inode *inode_in = file_inode(file_in);
> > +     struct inode *inode_out = file_inode(file_out);
> > +     uint64_t count = *req_count;
> > +     loff_t size_in;
> > +     int ret;
> > +
> > +     ret = generic_file_rw_checks(file_in, file_out);
> > +     if (ret)
> > +             return ret;
> > +
> > +     /* Don't touch certain kinds of inodes */
> > +     if (IS_IMMUTABLE(inode_out))
> > +             return -EPERM;
> > +
> > +     if (IS_SWAPFILE(inode_in) || IS_SWAPFILE(inode_out))
> > +             return -ETXTBSY;
> > +
> > +     /* Ensure offsets don't wrap. */
> > +     if (pos_in + count < pos_in || pos_out + count < pos_out)
> > +             return -EOVERFLOW;
> > +
> > +     /* Shorten the copy to EOF */
> > +     size_in = i_size_read(inode_in);
> > +     if (pos_in >= size_in)
> > +             count = 0;
> > +     else
> > +             count = min(count, size_in - (uint64_t)pos_in);
>
> Do we need a call to generic_access_check_limits(file_in...) here to
> prevent copies from ranges that the page cache doesn't support?

No. Because i_size cannot be of an illegal size and we cap
the read to i_size.
I also removed generic_access_check_limits() from generic_remap_checks()
for a similar reason in patch #8.

Thanks,
Amir.



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux