[PATCH 5.10 CANDIDATE 1/6] xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()

linux-xfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Amir Goldstein <amir73il@gmail.com>
To: "Darrick J . Wong" <djwong@kernel.org>
Cc: Leah Rumancik <leah.rumancik@gmail.com>,
	Chandan Babu R <chandan.babu@oracle.com>,
	linux-xfs@vger.kernel.org, fstests@vger.kernel.org,
	Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 5.10 CANDIDATE 1/6] xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()
Date: Mon, 22 Aug 2022 19:27:57 +0300	[thread overview]
Message-ID: <20220822162802.1661512-2-amir73il@gmail.com> (raw)
In-Reply-To: <20220822162802.1661512-1-amir73il@gmail.com>

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 6ed6356b07714e0198be3bc3ecccc8b40a212de4 upstream.

The "bufsize" comes from the root user.  If "bufsize" is negative then,
because of type promotion, neither of the validation checks at the start
of the function are able to catch it:

	if (bufsize < sizeof(struct xfs_attrlist) ||
	    bufsize > XFS_XATTR_LIST_MAX)
		return -EINVAL;

This means "bufsize" will trigger (WARN_ON_ONCE(size > INT_MAX)) in
kvmalloc_node().  Fix this by changing the type from int to size_t.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
---
 fs/xfs/xfs_ioctl.c | 2 +-
 fs/xfs/xfs_ioctl.h | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 646735aad45d..d973350d5946 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -371,7 +371,7 @@ int
 xfs_ioc_attr_list(
 	struct xfs_inode		*dp,
 	void __user			*ubuf,
-	int				bufsize,
+	size_t				bufsize,
 	int				flags,
 	struct xfs_attrlist_cursor __user *ucursor)
 {
diff --git a/fs/xfs/xfs_ioctl.h b/fs/xfs/xfs_ioctl.h
index bab6a5a92407..416e20de66e7 100644
--- a/fs/xfs/xfs_ioctl.h
+++ b/fs/xfs/xfs_ioctl.h
@@ -38,8 +38,9 @@ xfs_readlink_by_handle(
 int xfs_ioc_attrmulti_one(struct file *parfilp, struct inode *inode,
 		uint32_t opcode, void __user *uname, void __user *value,
 		uint32_t *len, uint32_t flags);
-int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf, int bufsize,
-	int flags, struct xfs_attrlist_cursor __user *ucursor);
+int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf,
+		      size_t bufsize, int flags,
+		      struct xfs_attrlist_cursor __user *ucursor);
 
 extern struct dentry *
 xfs_handle_to_dentry(
-- 
2.25.1

next prev parent reply	other threads:[~2022-08-22 16:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-22 16:27 [PATCH 5.10 CANDIDATE 0/7] xfs stable candidate patches for 5.10.y (from v5.17) Amir Goldstein
2022-08-22 16:27 ` Amir Goldstein [this message]
2022-08-22 16:27 ` [PATCH 5.10 CANDIDATE 2/6] xfs: reject crazy array sizes being fed to XFS_IOC_GETBMAP* Amir Goldstein
2022-08-22 16:27 ` [PATCH 5.10 CANDIDATE 3/6] fs: remove __sync_filesystem Amir Goldstein
2022-08-22 16:28 ` [PATCH 5.10 CANDIDATE 4/6] vfs: make sync_filesystem return errors from ->sync_fs Amir Goldstein
2022-08-22 16:28 ` [PATCH 5.10 CANDIDATE 5/6] xfs: return errors in xfs_fs_sync_fs Amir Goldstein
2022-08-22 16:28 ` [PATCH 5.10 CANDIDATE 6/6] xfs: only bother with sync_filesystem during readonly remount Amir Goldstein
2022-08-22 16:52 ` [PATCH 5.10 CANDIDATE 0/7] xfs stable candidate patches for 5.10.y (from v5.17) Darrick J. Wong

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:646735aad45 dfblob:d973350d594 dfblob:bab6a5a9240
dfblob:416e20de66e )
 OR (
bs:"[PATCH 5.10 CANDIDATE 1/6] xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220822162802.1661512-2-amir73il@gmail.com \
    --to=amir73il@gmail.com \
    --cc=chandan.babu@oracle.com \
    --cc=dan.carpenter@oracle.com \
    --cc=djwong@kernel.org \
    --cc=fstests@vger.kernel.org \
    --cc=leah.rumancik@gmail.com \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).