From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andreas Dilger <adilger@dilger.ca>,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 20/32] quota: Dont overflow quota file offsets
Date: Thu, 7 Jan 2021 15:16:40 +0100 [thread overview]
Message-ID: <20210107140828.805868146@linuxfoundation.org> (raw)
In-Reply-To: <20210107140827.866214702@linuxfoundation.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 10f04d40a9fa29785206c619f80d8beedb778837 ]
The on-disk quota format supports quota files with upto 2^32 blocks. Be
careful when computing quota file offsets in the quota files from block
numbers as they can overflow 32-bit types. Since quota files larger than
4GB would require ~26 millions of quota users, this is mostly a
theoretical concern now but better be careful, fuzzers would find the
problem sooner or later anyway...
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/quota_tree.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
index 0738972e8d3f0..ecd9887b0d1fe 100644
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -61,7 +61,7 @@ static ssize_t read_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
memset(buf, 0, info->dqi_usable_bs);
return sb->s_op->quota_read(sb, info->dqi_type, buf,
- info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
}
static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
@@ -70,7 +70,7 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
ssize_t ret;
ret = sb->s_op->quota_write(sb, info->dqi_type, buf,
- info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
if (ret != info->dqi_usable_bs) {
quota_error(sb, "dquota write failed");
if (ret >= 0)
@@ -283,7 +283,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
blk);
goto out_buf;
}
- dquot->dq_off = (blk << info->dqi_blocksize_bits) +
+ dquot->dq_off = ((loff_t)blk << info->dqi_blocksize_bits) +
sizeof(struct qt_disk_dqdbheader) +
i * info->dqi_entry_size;
kfree(buf);
@@ -558,7 +558,7 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info,
ret = -EIO;
goto out_buf;
} else {
- ret = (blk << info->dqi_blocksize_bits) + sizeof(struct
+ ret = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct
qt_disk_dqdbheader) + i * info->dqi_entry_size;
}
out_buf:
--
2.27.0
next prev parent reply other threads:[~2021-01-07 14:20 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-07 14:16 [PATCH 4.9 00/32] 4.9.250-rc1 review Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 01/32] x86/entry/64: Add instruction suffix Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 02/32] ALSA: hda/ca0132 - Fix work handling in delayed HP detection Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 03/32] ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 04/32] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 05/32] ALSA: hda/realtek - Support Dell headset mode for ALC3271 Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 06/32] ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 07/32] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 08/32] vfio/pci: Move dummy_resources_list init in vfio_pci_probe() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 09/32] s390/dasd: fix hanging device offline processing Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 10/32] USB: serial: digi_acceleport: fix write-wakeup deadlocks Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 11/32] net: ipv6: keep sk status consistent after datagram connect failure Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 12/32] l2tp: fix races with ipv4-mapped ipv6 addresses Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 13/32] uapi: move constants from <linux/kernel.h> to <linux/const.h> Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 14/32] of: fix linker-section match-table corruption Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 15/32] reiserfs: add check for an invalid ih_entry_count Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 16/32] misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 17/32] media: gp8psk: initialize stats at power control logic Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 18/32] ALSA: seq: Use bool for snd_seq_queue internal flags Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 19/32] module: set MODULE_STATE_GOING state when a module fails to load Greg Kroah-Hartman
2021-01-07 14:16 ` Greg Kroah-Hartman [this message]
2021-01-07 14:16 ` [PATCH 4.9 21/32] powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 22/32] module: delay kobject uevent until after module init call Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 23/32] kdev_t: always inline major/minor helper functions Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 24/32] xen/xenbus: Allow watches discard events before queueing Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 25/32] xen/xenbus: Add will_handle callback support in xenbus_watch_path() Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 26/32] xen/xenbus/xen_bus_type: Support will_handle watch callback Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 27/32] xen/xenbus: Count pending messages for each watch Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 28/32] xenbus/xenbus_backend: Disallow pending watch messages Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 29/32] iio: bmi160_core: Fix sparse warning due to incorrect type in assignment Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 30/32] iio:imu:bmi160: Fix too large a buffer Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 31/32] iio:imu:bmi160: Fix alignment and data leak issues Greg Kroah-Hartman
2021-01-07 14:16 ` [PATCH 4.9 32/32] iio:magnetometer:mag3110: " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210107140828.805868146@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger@dilger.ca \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.