From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andreas Dilger <adilger@dilger.ca>,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 21/29] quota: Dont overflow quota file offsets
Date: Thu, 7 Jan 2021 15:31:36 +0100 [thread overview]
Message-ID: <20210107143055.965897593@linuxfoundation.org> (raw)
In-Reply-To: <20210107143052.973437064@linuxfoundation.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 10f04d40a9fa29785206c619f80d8beedb778837 ]
The on-disk quota format supports quota files with upto 2^32 blocks. Be
careful when computing quota file offsets in the quota files from block
numbers as they can overflow 32-bit types. Since quota files larger than
4GB would require ~26 millions of quota users, this is mostly a
theoretical concern now but better be careful, fuzzers would find the
problem sooner or later anyway...
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/quota/quota_tree.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c
index bb3f59bcfcf5b..656f9ff63edda 100644
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -61,7 +61,7 @@ static ssize_t read_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
memset(buf, 0, info->dqi_usable_bs);
return sb->s_op->quota_read(sb, info->dqi_type, buf,
- info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
}
static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
@@ -70,7 +70,7 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
ssize_t ret;
ret = sb->s_op->quota_write(sb, info->dqi_type, buf,
- info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
if (ret != info->dqi_usable_bs) {
quota_error(sb, "dquota write failed");
if (ret >= 0)
@@ -283,7 +283,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
blk);
goto out_buf;
}
- dquot->dq_off = (blk << info->dqi_blocksize_bits) +
+ dquot->dq_off = ((loff_t)blk << info->dqi_blocksize_bits) +
sizeof(struct qt_disk_dqdbheader) +
i * info->dqi_entry_size;
kfree(buf);
@@ -558,7 +558,7 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info,
ret = -EIO;
goto out_buf;
} else {
- ret = (blk << info->dqi_blocksize_bits) + sizeof(struct
+ ret = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct
qt_disk_dqdbheader) + i * info->dqi_entry_size;
}
out_buf:
--
2.27.0
next prev parent reply other threads:[~2021-01-07 14:37 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-07 14:31 [PATCH 4.14 00/29] 4.14.214-rc1 review Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 01/29] x86/entry/64: Add instruction suffix Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 02/29] md/raid10: initialize r10_bio->read_slot before use Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 03/29] ALSA: hda/ca0132 - Fix work handling in delayed HP detection Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 04/29] ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 05/29] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 06/29] mm: memcontrol: eliminate raw access to stat and event counters Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 07/29] mm: memcontrol: implement lruvec stat functions on top of each other Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 08/29] mm: memcontrol: fix excessive complexity in memory.stat reporting Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 09/29] vfio/pci: Move dummy_resources_list init in vfio_pci_probe() Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 10/29] s390/dasd: fix hanging device offline processing Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 11/29] USB: serial: digi_acceleport: fix write-wakeup deadlocks Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 12/29] powerpc/bitops: Fix possible undefined behaviour with fls() and fls64() Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 13/29] uapi: move constants from <linux/kernel.h> to <linux/const.h> Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 14/29] of: fix linker-section match-table corruption Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 15/29] reiserfs: add check for an invalid ih_entry_count Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 16/29] misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 17/29] media: gp8psk: initialize stats at power control logic Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 18/29] ALSA: seq: Use bool for snd_seq_queue internal flags Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 19/29] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 20/29] module: set MODULE_STATE_GOING state when a module fails to load Greg Kroah-Hartman
2021-01-07 14:31 ` Greg Kroah-Hartman [this message]
2021-01-07 14:31 ` [PATCH 4.14 22/29] powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 23/29] module: delay kobject uevent until after module init call Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 24/29] ALSA: pcm: Clear the full allocated memory at hw_params Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 25/29] dm verity: skip verity work if I/O error when system is shutting down Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 26/29] kdev_t: always inline major/minor helper functions Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 27/29] iio:imu:bmi160: Fix alignment and data leak issues Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 28/29] iio:magnetometer:mag3110: " Greg Kroah-Hartman
2021-01-07 14:31 ` [PATCH 4.14 29/29] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Greg Kroah-Hartman
2021-01-07 20:20 ` [PATCH 4.14 00/29] 4.14.214-rc1 review Jon Hunter
2021-01-08 7:35 ` Naresh Kamboju
2021-01-08 17:38 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210107143055.965897593@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger@dilger.ca \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.