From: gregkh@linuxfoundation.org
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
David Sterba <dsterba@suse.com>
Subject: [PATCH 4.19 03/39] btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl
Date: Wed, 10 Mar 2021 14:24:11 +0100 [thread overview]
Message-ID: <20210310132319.834379173@linuxfoundation.org> (raw)
In-Reply-To: <20210310132319.708237392@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Dan Carpenter <dancarpenter@oracle.com>
commit 5011c5a663b9c6d6aff3d394f11049b371199627 upstream.
The problem is we're copying "inherit" from user space but we don't
necessarily know that we're copying enough data for a 64 byte
struct. Then the next problem is that 'inherit' has a variable size
array at the end, and we have to verify that array is the size we
expected.
Fixes: 6f72c7e20dba ("Btrfs: add qgroup inheritance")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1842,7 +1842,10 @@ static noinline int btrfs_ioctl_snap_cre
if (vol_args->flags & BTRFS_SUBVOL_RDONLY)
readonly = true;
if (vol_args->flags & BTRFS_SUBVOL_QGROUP_INHERIT) {
- if (vol_args->size > PAGE_SIZE) {
+ u64 nums;
+
+ if (vol_args->size < sizeof(*inherit) ||
+ vol_args->size > PAGE_SIZE) {
ret = -EINVAL;
goto free_args;
}
@@ -1851,6 +1854,20 @@ static noinline int btrfs_ioctl_snap_cre
ret = PTR_ERR(inherit);
goto free_args;
}
+
+ if (inherit->num_qgroups > PAGE_SIZE ||
+ inherit->num_ref_copies > PAGE_SIZE ||
+ inherit->num_excl_copies > PAGE_SIZE) {
+ ret = -EINVAL;
+ goto free_inherit;
+ }
+
+ nums = inherit->num_qgroups + 2 * inherit->num_ref_copies +
+ 2 * inherit->num_excl_copies;
+ if (vol_args->size != struct_size(inherit, qgroups, nums)) {
+ ret = -EINVAL;
+ goto free_inherit;
+ }
}
ret = btrfs_ioctl_snap_create_transid(file, vol_args->name,
next prev parent reply other threads:[~2021-03-10 13:27 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 13:24 [PATCH 4.19 00/39] 4.19.180-rc1 review gregkh
2021-03-10 13:24 ` [PATCH 4.19 01/39] btrfs: raid56: simplify tracking of Q stripe presence gregkh
2021-03-10 13:24 ` [PATCH 4.19 02/39] btrfs: fix raid6 qstripe kmap gregkh
2021-03-10 13:24 ` gregkh [this message]
2021-03-10 13:24 ` [PATCH 4.19 04/39] btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata gregkh
2021-03-10 13:24 ` [PATCH 4.19 05/39] btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors gregkh
2021-03-10 13:24 ` [PATCH 4.19 06/39] PM: runtime: Update device status before letting suppliers suspend gregkh
2021-03-10 13:24 ` [PATCH 4.19 07/39] dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size gregkh
2021-03-10 13:24 ` [PATCH 4.19 08/39] drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie gregkh
2021-03-10 13:24 ` [PATCH 4.19 09/39] usbip: tools: fix build error for multiple definition gregkh
2021-03-10 13:24 ` [PATCH 4.19 10/39] Revert "zram: close udev startup race condition as default groups" gregkh
2021-03-10 13:24 ` [PATCH 4.19 11/39] block: genhd: add groups argument to device_add_disk gregkh
2021-03-10 13:24 ` [PATCH 4.19 12/39] nvme: register ns_id attributes as default sysfs groups gregkh
2021-03-10 13:24 ` [PATCH 4.19 13/39] aoe: register default groups with device_add_disk() gregkh
2021-03-10 13:24 ` [PATCH 4.19 14/39] zram: " gregkh
2021-03-10 13:24 ` [PATCH 4.19 15/39] virtio-blk: modernize sysfs attribute creation gregkh
2021-03-10 13:24 ` [PATCH 4.19 16/39] ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits gregkh
2021-03-10 13:24 ` [PATCH 4.19 17/39] RDMA/rxe: Fix missing kconfig dependency on CRYPTO gregkh
2021-03-10 13:24 ` [PATCH 4.19 18/39] rsxx: Return -EFAULT if copy_to_user() fails gregkh
2021-03-10 13:24 ` [PATCH 4.19 19/39] dm verity: fix FEC for RS roots unaligned to block size gregkh
2021-03-10 13:24 ` [PATCH 4.19 20/39] r8169: fix resuming from suspend on RTL8105e if machine runs on battery gregkh
2021-03-10 13:24 ` [PATCH 4.19 21/39] net: dsa: add GRO support via gro_cells gregkh
2021-03-10 13:24 ` [PATCH 4.19 22/39] dm table: fix iterate_devices based device capability checks gregkh
2021-03-10 13:24 ` [PATCH 4.19 23/39] dm table: fix DAX " gregkh
2021-03-10 13:24 ` [PATCH 4.19 24/39] dm table: fix zoned " gregkh
2021-03-10 13:24 ` [PATCH 4.19 25/39] iommu/amd: Fix sleeping in atomic in increase_address_space() gregkh
2021-03-10 13:24 ` [PATCH 4.19 26/39] mwifiex: pcie: skip cancel_work_sync() on reset failure path gregkh
2021-03-10 13:24 ` [PATCH 4.19 27/39] platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines gregkh
2021-03-10 13:24 ` [PATCH 4.19 28/39] platform/x86: acer-wmi: Cleanup accelerometer device handling gregkh
2021-03-10 13:24 ` [PATCH 4.19 29/39] platform/x86: acer-wmi: Add new force_caps module parameter gregkh
2021-03-10 13:24 ` [PATCH 4.19 30/39] platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag gregkh
2021-03-10 13:24 ` [PATCH 4.19 31/39] platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices gregkh
2021-03-10 13:24 ` [PATCH 4.19 32/39] platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 gregkh
2021-03-10 13:24 ` [PATCH 4.19 33/39] HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter gregkh
2021-03-10 13:24 ` [PATCH 4.19 34/39] media: cx23885: add more quirks for reset DMA on some AMD IOMMU gregkh
2021-03-10 13:24 ` [PATCH 4.19 35/39] ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 gregkh
2021-03-10 13:24 ` [PATCH 4.19 36/39] PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller gregkh
2021-03-10 13:24 ` [PATCH 4.19 37/39] misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom gregkh
2021-03-10 13:24 ` [PATCH 4.19 38/39] drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register gregkh
2021-03-10 13:24 ` [PATCH 4.19 39/39] mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN gregkh
2021-03-10 20:22 ` [PATCH 4.19 00/39] 4.19.180-rc1 review Pavel Machek
2021-03-10 22:01 ` Shuah Khan
2021-03-10 23:51 ` Guenter Roeck
2021-03-11 2:39 ` Samuel Zou
2021-03-11 4:04 ` Ross Schmidt
2021-03-11 7:47 ` Naresh Kamboju
2021-03-11 7:59 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210310132319.834379173@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=dsterba@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.