* [PATCH v2 1/3] fuse: check if copy_file_range() returns larger than requested size
[not found] <20250813152014.100048-1-mszeredi@redhat.com>
@ 2025-08-13 15:20 ` Miklos Szeredi
2025-08-13 15:20 ` [PATCH v2 2/3] fuse: prevent overflow in copy_file_range return value Miklos Szeredi
1 sibling, 0 replies; 2+ messages in thread
From: Miklos Szeredi @ 2025-08-13 15:20 UTC (permalink / raw)
To: linux-fsdevel
Cc: Bernd Schubert, Amir Goldstein, Florian Weimer, Chunsheng Luo,
stable
Just like write(), copy_file_range() should check if the return value is
less or equal to the requested number of bytes.
Reported-by: Chunsheng Luo <luochunsheng@ustc.edu>
Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
fs/fuse/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 5525a4520b0f..45207a6bb85f 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -3026,6 +3026,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
fc->no_copy_file_range = 1;
err = -EOPNOTSUPP;
}
+ if (!err && outarg.size > len)
+ err = -EIO;
+
if (err)
goto out;
--
2.49.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH v2 2/3] fuse: prevent overflow in copy_file_range return value
[not found] <20250813152014.100048-1-mszeredi@redhat.com>
2025-08-13 15:20 ` [PATCH v2 1/3] fuse: check if copy_file_range() returns larger than requested size Miklos Szeredi
@ 2025-08-13 15:20 ` Miklos Szeredi
1 sibling, 0 replies; 2+ messages in thread
From: Miklos Szeredi @ 2025-08-13 15:20 UTC (permalink / raw)
To: linux-fsdevel
Cc: Bernd Schubert, Amir Goldstein, Chunsheng Luo, Florian Weimer,
stable
The FUSE protocol uses struct fuse_write_out to convey the return value of
copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE
interface supports a 64-bit size copies.
Currently the number of bytes copied is silently truncated to 32-bit, which
may result in poor performance or even failure to copy in case of
truncation to zero.
Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 45207a6bb85f..4adcf09d4b01 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2960,7 +2960,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
.nodeid_out = ff_out->nodeid,
.fh_out = ff_out->fh,
.off_out = pos_out,
- .len = len,
+ .len = min_t(size_t, len, UINT_MAX & PAGE_MASK),
.flags = flags
};
struct fuse_write_out outarg;
--
2.49.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-08-13 15:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250813152014.100048-1-mszeredi@redhat.com>
2025-08-13 15:20 ` [PATCH v2 1/3] fuse: check if copy_file_range() returns larger than requested size Miklos Szeredi
2025-08-13 15:20 ` [PATCH v2 2/3] fuse: prevent overflow in copy_file_range return value Miklos Szeredi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox