From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5474C433E0 for ; Fri, 19 Mar 2021 15:07:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9C0ED61923 for ; Fri, 19 Mar 2021 15:07:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229990AbhCSPHG (ORCPT ); Fri, 19 Mar 2021 11:07:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35034 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229941AbhCSPGn (ORCPT ); Fri, 19 Mar 2021 11:06:43 -0400 Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53A58C06174A for ; Fri, 19 Mar 2021 08:06:43 -0700 (PDT) Received: by mail-wr1-x42d.google.com with SMTP id v11so9438941wro.7 for ; Fri, 19 Mar 2021 08:06:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=O1cliPNt4IOuiJ9NAYStWdoDOAvSKQBjj0GaKYwsRdg=; b=C7B11toD2TiZrKj3lUFGE6nIMpJt59OarnlrWaEPVb/dlUNaAI44URh9mHbRj5Mtsm CFbdzOKA5NliU2BRgP9V7b/Wyj87h0LMQWZnjq8/oAXMyKDgeTLzx22oETziyJkwdGCt vRuvYYbZVZ2iMw4pujpbyzsO+WQ9m/W3s22lEB+Jd4INJtM5OS0I0rewOFW1klije2Gk hD/uF+swP6rbRbbeGXdzyph++nVVpjVtxFfg0RR/oS69IHjcKpGVwTe6rqzNbeFNXy9q PA2mm79+6wP4DjDzPS13Alx+sWEqLzoljLVWHUqjih7ACGLUcKCuwkxNXt0X076iFnx3 MeWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=O1cliPNt4IOuiJ9NAYStWdoDOAvSKQBjj0GaKYwsRdg=; b=BdCQplKgL+c+2rlMuhur/1MDnm5Qf6sUtz46xWRjXHpjlBnlBMXO+H9YmDJPdIW2EO m7suLLyAB1qfjkPzxPGT2JZPX9VVNYRLZvBU3i5lowUdei8/Sm7EGWOeImLCzRb5nJRY aE0QpFHp+rYAh8f8Bokbn2357q8+24Z9qTe1zeVHbz+IQLR5MULCIIx6tp3zbT9GPatK qDUFjRYSO44f14t2hzIselap48/n5vbLwhF3+XNHVDd/kGXgH3XZ3XqyxPDRFAsJm7bd ASIipb8HT2pTKMt/7tu4aBjsGG6AVPFnh/UgbulQqYbkaxfWgUTCS2pEEAl+7u/6JpGl h0cg== X-Gm-Message-State: AOAM531QHe6TzV5FQ2jIQ5euV7U/6mdXtGtY4OEGearW4pWvnXK7q5qf IDk1cE2tiEMU3eBIiadP7hUxqQ== X-Google-Smtp-Source: ABdhPJylifZpjlgybLtsRkl9QRce48/5Mik44BkROT+y6TCzi+J69u+qGfIUwuE5ieQk3X0q5NEtUA== X-Received: by 2002:a5d:4686:: with SMTP id u6mr5040256wrq.60.1616166401927; Fri, 19 Mar 2021 08:06:41 -0700 (PDT) Received: from balsini.lon.corp.google.com ([2a00:79e0:d:210:d49c:45f3:9d86:b2e9]) by smtp.gmail.com with ESMTPSA id w6sm8381391wrl.49.2021.03.19.08.06.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Mar 2021 08:06:41 -0700 (PDT) From: Alessio Balsini To: Arnd Bergmann , Miklos Szeredi Cc: kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] fs/fuse: Fix matching of FUSE_DEV_IOC_CLONE command Date: Fri, 19 Mar 2021 15:05:14 +0000 Message-Id: <20210319150514.1315985-1-balsini@android.com> X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With commit f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse device") the matching constraints for the FUSE_DEV_IOC_CLONE ioctl command are relaxed, limited to the testing of command type and number. As Arnd noticed, this is wrong as it wouldn't ensure the correctness of the data size or direction for the received FUSE device ioctl. Fix by bringing back the comparison of the ioctl received by the FUSE device to the originally generated FUSE_DEV_IOC_CLONE. Fixes: f8425c939663 ("fuse: 32-bit user space ioctl compat for fuse device") Reported-by: Arnd Bergmann Signed-off-by: Alessio Balsini --- fs/fuse/dev.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index c0fee830a34e..a5ceccc5ef00 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -2233,11 +2233,8 @@ static long fuse_dev_ioctl(struct file *file, unsigned int cmd, int oldfd; struct fuse_dev *fud = NULL; - if (_IOC_TYPE(cmd) != FUSE_DEV_IOC_MAGIC) - return -ENOTTY; - - switch (_IOC_NR(cmd)) { - case _IOC_NR(FUSE_DEV_IOC_CLONE): + switch (cmd) { + case FUSE_DEV_IOC_CLONE: res = -EFAULT; if (!get_user(oldfd, (__u32 __user *)arg)) { struct file *old = fget(oldfd); -- 2.31.0.291.g576ba9dcdaf-goog