On Tue, Apr 17, 2018 at 11:00:54AM -0700, Eric Biggers wrote:
> Hi Darrick,
>
> On Tue, Apr 17, 2018 at 10:55:30AM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> >
> > During the "insert range" fallocate operation, i_size grows by the
> > specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as
> > it should. But this comparison is done using the signed 'loff_t', and
> > 'i_size + len' can wrap around to a negative value, causing the check to
> > incorrectly pass, resulting in an inode with "negative" i_size. This is
> > possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
> > ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
> >
> > Fix it by doing an unsigned comparison instead.
> >
>
> Can you fix this sentence of the commit message? It's not doing an unsigned
> comparison anymore. Otherwise this looks fine -- thanks!
Will do. Thanks!
--D
>
> > Reproducer:
> > xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
> >
> > Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
> > Cc: <stable@xxxxxxxxxxxxxxx> # v4.1+
> > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> > Originally-From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > Reviewed-by: Christoph Hellwig <hch@xxxxxx>
> > Reviewed-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> > [darrick: fix signed integer addition overflow too]
> > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> > ---
> > v3: rearrange the changes to churn less
> > v2: fix signed integer overflow when adding isize and len
> > ---
> > fs/xfs/xfs_file.c | 14 +++++++++-----
> > 1 file changed, 9 insertions(+), 5 deletions(-)
> >
> > diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> > index 9fd9dd7..1ac05ab 100644
> > --- a/fs/xfs/xfs_file.c
> > +++ b/fs/xfs/xfs_file.c
> > @@ -778,22 +778,26 @@ xfs_file_fallocate(
> > if (error)
> > goto out_unlock;
> > } else if (mode & FALLOC_FL_INSERT_RANGE) {
> > - unsigned int blksize_mask = i_blocksize(inode) - 1;
> > + unsigned int blksize_mask = i_blocksize(inode) - 1;
> > + loff_t isize = i_size_read(inode);
> >
> > - new_size = i_size_read(inode) + len;
> > if (offset & blksize_mask || len & blksize_mask) {
> > error = -EINVAL;
> > goto out_unlock;
> > }
> >
> > - /* check the new inode size does not wrap through zero */
> > - if (new_size > inode->i_sb->s_maxbytes) {
> > + /*
> > + * New inode size must not exceed ->s_maxbytes, accounting for
> > + * possible signed overflow.
> > + */
> > + if (inode->i_sb->s_maxbytes - isize < len) {
> > error = -EFBIG;
> > goto out_unlock;
> > }
> > + new_size = isize + len;
> >
> > /* Offset should be less than i_size */
> > - if (offset >= i_size_read(inode)) {
> > + if (offset >= isize) {
> > error = -EINVAL;
> > goto out_unlock;
> > }
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
