system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-07-21 10:41:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fibmap: Reject negative block numbers

Browse source 
FIBMAP receives an integer from userspace which is then implicitly converted
into sector_t to be passed to bmap(). No check is made to ensure userspace
didn't send a negative block number, which can end up in an underflow, and
returning to userspace a corrupted block address.

As a side-effect, the underflow caused by a negative block here, will
trigger the WARN() in iomap_bmap_actor(), which is how this issue was
first discovered.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Carlos Maiolino 2020-01-09 14:30:45 +01:00 committed by Al Viro
parent 0d89fdae2a
commit 324282c025
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
fs/ioctl.c
View file

@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
if (error)
return error;
if (ur_block < 0)
return -EINVAL;
block = ur_block;
error = bmap(inode, &block);