From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
David Sterba <dsterba@suse.com>
Subject: [PATCH 5.4 05/22] btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl
Date: Mon, 8 Mar 2021 13:30:22 +0100 [thread overview]
Message-ID: <20210308122714.654095897@linuxfoundation.org> (raw)
In-Reply-To: <20210308122714.391917404@linuxfoundation.org>
From: Dan Carpenter <dancarpenter@oracle.com>
commit 5011c5a663b9c6d6aff3d394f11049b371199627 upstream.
The problem is we're copying "inherit" from user space but we don't
necessarily know that we're copying enough data for a 64 byte
struct. Then the next problem is that 'inherit' has a variable size
array at the end, and we have to verify that array is the size we
expected.
Fixes: 6f72c7e20dba ("Btrfs: add qgroup inheritance")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1907,7 +1907,10 @@ static noinline int btrfs_ioctl_snap_cre
if (vol_args->flags & BTRFS_SUBVOL_RDONLY)
readonly = true;
if (vol_args->flags & BTRFS_SUBVOL_QGROUP_INHERIT) {
- if (vol_args->size > PAGE_SIZE) {
+ u64 nums;
+
+ if (vol_args->size < sizeof(*inherit) ||
+ vol_args->size > PAGE_SIZE) {
ret = -EINVAL;
goto free_args;
}
@@ -1916,6 +1919,20 @@ static noinline int btrfs_ioctl_snap_cre
ret = PTR_ERR(inherit);
goto free_args;
}
+
+ if (inherit->num_qgroups > PAGE_SIZE ||
+ inherit->num_ref_copies > PAGE_SIZE ||
+ inherit->num_excl_copies > PAGE_SIZE) {
+ ret = -EINVAL;
+ goto free_inherit;
+ }
+
+ nums = inherit->num_qgroups + 2 * inherit->num_ref_copies +
+ 2 * inherit->num_excl_copies;
+ if (vol_args->size != struct_size(inherit, qgroups, nums)) {
+ ret = -EINVAL;
+ goto free_inherit;
+ }
}
ret = btrfs_ioctl_snap_create_transid(file, vol_args->name,
next prev parent reply other threads:[~2021-03-08 12:32 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 12:30 [PATCH 5.4 00/22] 5.4.104-rc1 review Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 01/22] tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality() Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 02/22] tpm, tpm_tis: Decorate tpm_get_timeouts() " Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 03/22] btrfs: raid56: simplify tracking of Q stripe presence Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 04/22] btrfs: fix raid6 qstripe kmap Greg Kroah-Hartman
2021-03-08 12:30 ` Greg Kroah-Hartman [this message]
2021-03-08 12:30 ` [PATCH 5.4 06/22] btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 07/22] btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 08/22] btrfs: fix warning when creating a directory with smack enabled Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 09/22] PM: runtime: Update device status before letting suppliers suspend Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 10/22] dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 11/22] dm verity: fix FEC for RS roots unaligned to block size Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 12/22] drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 13/22] arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 14/22] crypto - shash: reduce minimum alignment of shash_desc structure Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 15/22] usbip: tools: fix build error for multiple definition Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 16/22] ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 17/22] RDMA/rxe: Fix missing kconfig dependency on CRYPTO Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 18/22] IB/mlx5: Add missing error code Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 19/22] ALSA: hda: intel-nhlt: verify config type Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 20/22] ftrace: Have recordmcount use w8 to read relp->r_info in arm64_is_fake_mcount Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 21/22] rsxx: Return -EFAULT if copy_to_user() fails Greg Kroah-Hartman
2021-03-08 12:30 ` [PATCH 5.4 22/22] r8169: fix resuming from suspend on RTL8105e if machine runs on battery Greg Kroah-Hartman
2021-03-08 16:59 ` [PATCH 5.4 00/22] 5.4.104-rc1 review Florian Fainelli
2021-03-08 17:18 ` Jon Hunter
2021-03-08 22:29 ` Guenter Roeck
2021-03-09 1:59 ` Samuel Zou
2021-03-09 4:59 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210308122714.654095897@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=dsterba@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.