From: Dave Chinner <dchinner@xxxxxxxxxx> Userspace can pass anything it wants in the reserved block count and we simply pass that to the reservation code. If a value that is far too large is passed, we can overflow the free space counter and df reports things like: Filesystem Size Used Avail Use% Mounted on /dev/loop0 14M -27Z 27Z - /home/dave/bugs/file0 As reserving space requires CAP_SYS_ADMIN, this is not a problem that will ever been seen in production systems. However, fuzzers are running with CAP_SYS_ADMIN, and so they able to run filesystem code with out-of-band free space accounting. Stop the fuzzers ifrom being able to do this by validating that the count is within the bounds of the filesystem size and reject anything outside those bounds as invalid. Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx> --- fs/xfs/xfs_ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index d0e2cec6210d..18a225d884dd 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1892,6 +1892,9 @@ xfs_ioctl_getset_resblocks( if (copy_from_user(&fsop, arg, sizeof(fsop))) return -EFAULT; + if (fsop.resblks >= mp->m_sb.sb_dblocks) + return -EINVAL; + error = mnt_want_write_file(filp); if (error) return error; -- 2.43.0
