On 4/25/20 12:47 AM, Eric Biggers wrote:
On Fri, Apr 24, 2020 at 12:52:17PM +0530, Ritesh Harjani wrote:
We better warn the fibmap user and not return a truncated and therefore
an incorrect block map address if the bmap() returned block address
is greater than INT_MAX (since user supplied integer pointer).
It's better to WARN all user of ioctl_fibmap() and return a proper error
code rather than silently letting a FS corruption happen if the user tries
to fiddle around with the returned block map address.
We fix this by returning an error code of -ERANGE and returning 0 as the
block mapping address in case if it is > INT_MAX.
Signed-off-by: Ritesh Harjani <riteshh@xxxxxxxxxxxxx>
---
fs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ioctl.c b/fs/ioctl.c
index f1d93263186c..3489f3a12c1d 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -71,6 +71,11 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
block = ur_block;
error = bmap(inode, &block);
+ if (block > INT_MAX) {
+ error = -ERANGE;
+ WARN(1, "would truncate fibmap result\n");
+ }
+
WARN() is only for kernel bugs. This case would be a userspace bug, not a
kernel bug, right? If so, it should use pr_warn(), not WARN().
Ok, I see.
Let me replace WARN() with below pr_warn() line then. If no objections,
then will send this in a v2 with both patches combined as Darrick
suggested. - (with Reviewed-by tags of Jan & Christoph).
pr_warn("fibmap: this would truncate fibmap result\n");
- Eric
