Hi Darrick,
On Tue, Apr 17, 2018 at 10:55:30AM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
>
> During the "insert range" fallocate operation, i_size grows by the
> specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as
> it should. But this comparison is done using the signed 'loff_t', and
> 'i_size + len' can wrap around to a negative value, causing the check to
> incorrectly pass, resulting in an inode with "negative" i_size. This is
> possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
> ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
>
> Fix it by doing an unsigned comparison instead.
>
Can you fix this sentence of the commit message? It's not doing an unsigned
comparison anymore. Otherwise this looks fine -- thanks!
> Reproducer:
> xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
>
> Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.1+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> Originally-From: Eric Biggers <ebiggers@xxxxxxxxxx>
> Reviewed-by: Christoph Hellwig <hch@xxxxxx>
> Reviewed-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> [darrick: fix signed integer addition overflow too]
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
> v3: rearrange the changes to churn less
> v2: fix signed integer overflow when adding isize and len
> ---
> fs/xfs/xfs_file.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> index 9fd9dd7..1ac05ab 100644
> --- a/fs/xfs/xfs_file.c
> +++ b/fs/xfs/xfs_file.c
> @@ -778,22 +778,26 @@ xfs_file_fallocate(
> if (error)
> goto out_unlock;
> } else if (mode & FALLOC_FL_INSERT_RANGE) {
> - unsigned int blksize_mask = i_blocksize(inode) - 1;
> + unsigned int blksize_mask = i_blocksize(inode) - 1;
> + loff_t isize = i_size_read(inode);
>
> - new_size = i_size_read(inode) + len;
> if (offset & blksize_mask || len & blksize_mask) {
> error = -EINVAL;
> goto out_unlock;
> }
>
> - /* check the new inode size does not wrap through zero */
> - if (new_size > inode->i_sb->s_maxbytes) {
> + /*
> + * New inode size must not exceed ->s_maxbytes, accounting for
> + * possible signed overflow.
> + */
> + if (inode->i_sb->s_maxbytes - isize < len) {
> error = -EFBIG;
> goto out_unlock;
> }
> + new_size = isize + len;
>
> /* Offset should be less than i_size */
> - if (offset >= i_size_read(inode)) {
> + if (offset >= isize) {
> error = -EINVAL;
> goto out_unlock;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
