From: Andi Kleen <andi@firstfloor.org>
To: Jan Schmidt <list.btrfs@jan-o-sch.net>
Cc: chris.mason@oracle.com, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH v5 8/8] btrfs: new ioctls to do logical->inode and inode->path resolving
Date: Thu, 21 Jul 2011 13:14:16 -0700 [thread overview]
Message-ID: <m2d3h34civ.fsf@firstfloor.org> (raw)
In-Reply-To: <d1e9e9c9695a1291d624ad86abb8648f7d04a848.1311244592.git.list.btrfs@jan-o-sch.net> (Jan Schmidt's message of "Thu, 21 Jul 2011 13:19:48 +0200")
Jan Schmidt <list.btrfs@jan-o-sch.net> writes:
> +
> +static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
> + void __user *arg)
> +{
> + int ret = 0;
> + int size;
> + u64 extent_offset;
> + struct btrfs_ioctl_logical_ino_args *loi;
> + struct btrfs_data_container *inodes = NULL;
> + struct btrfs_path *path = NULL;
> + struct btrfs_key key;
This really needs to be root-only for obvious reasons.
The same for the ino_path function
> +
> + loi = memdup_user(arg, sizeof(*loi));
> + if (IS_ERR(loi)) {
> + ret = PTR_ERR(loi);
> + loi = NULL;
> + goto out;
> + }
> +
> + path = btrfs_alloc_path();
> + if (!path) {
> + ret = -ENOMEM;
> + goto out;
> + }
> +
> + size = min(loi->size, 4096);
This is likely a root hole. loi->size is signed! Consider the case
of a negative value being passed in.
Same for the earlier function.
-Andi
--
ak@linux.intel.com -- Speaking for myself only
next prev parent reply other threads:[~2011-07-21 20:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-21 11:19 [PATCH v5 0/8] Btrfs scrub: print path to corrupted files and trigger nodatasum fixup Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 1/8] btrfs: added helper functions to iterate backrefs Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 2/8] btrfs scrub: added unverified_errors Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 3/8] btrfs scrub: print paths of corrupted files Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 4/8] btrfs scrub: bugfix: mirror_num off by one Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 5/8] btrfs: add mirror_num to extent_read_full_page Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 6/8] btrfs scrub: use int for mirror_num, not u64 Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 7/8] btrfs scrub: add fixup code for errors on nodatasum files Jan Schmidt
2011-07-21 11:19 ` [PATCH v5 8/8] btrfs: new ioctls to do logical->inode and inode->path resolving Jan Schmidt
2011-07-21 20:14 ` Andi Kleen [this message]
2011-07-22 7:09 ` Jan Schmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2d3h34civ.fsf@firstfloor.org \
--to=andi@firstfloor.org \
--cc=chris.mason@oracle.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=list.btrfs@jan-o-sch.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.