From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yb0-f196.google.com ([209.85.213.196]:37813 "EHLO mail-yb0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750989AbeDPUtG (ORCPT ); Mon, 16 Apr 2018 16:49:06 -0400 Received: by mail-yb0-f196.google.com with SMTP id i13-v6so7577832ybl.4 for ; Mon, 16 Apr 2018 13:49:06 -0700 (PDT) From: Eric Biggers Subject: [PATCH] xfs: prevent creating negative-sized file via INSERT_RANGE Date: Mon, 16 Apr 2018 13:46:30 -0700 Message-Id: <20180416204630.177682-1-ebiggers3@gmail.com> Sender: linux-xfs-owner@vger.kernel.org List-ID: List-Id: xfs To: linux-xfs@vger.kernel.org Cc: Eric Biggers From: Eric Biggers During the "insert range" fallocate operation, i_size grows by the specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as it should. But this comparison is done using the signed 'loff_t', and 'i_size + len' can wrap around to a negative value, causing the check to incorrectly pass, resulting in an inode with "negative" i_size. This is possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX. ext4 and f2fs don't run into this because they set a smaller s_maxbytes. Fix it by doing an unsigned comparison instead. Reproducer: xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096" Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate") Cc: # v4.1+ Signed-off-by: Eric Biggers --- fs/xfs/xfs_file.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c index 299aee4b7b0b..56a820efeb2a 100644 --- a/fs/xfs/xfs_file.c +++ b/fs/xfs/xfs_file.c @@ -786,8 +786,11 @@ xfs_file_fallocate( goto out_unlock; } - /* check the new inode size does not wrap through zero */ - if (new_size > inode->i_sb->s_maxbytes) { + /* + * New inode size must not exceed ->s_maxbytes, accounting for + * possible signed overflow. + */ + if ((u64)new_size > inode->i_sb->s_maxbytes) { error = -EFBIG; goto out_unlock; } -- 2.17.0.484.g0c8726318c-goog