Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> cc: stable@kernel.org Signed-off-by: Chris Mason <chris.mason@oracle.com>
This commit is contained in:
Dan Rosenberg
Chris Mason
Родитель
b5384d48f4
Коммит
2ebc346478
|
|
@ -1458,7 +1458,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* the destination must be opened for writing */
|
/* the destination must be opened for writing */
|
||||||
if (!(file->f_mode & FMODE_WRITE))
|
if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
ret = mnt_want_write(file->f_path.mnt);
|
ret = mnt_want_write(file->f_path.mnt);
|
||||||
|
|
@ -1511,7 +1511,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
|
||||||
|
|
||||||
/* determine range to clone */
|
/* determine range to clone */
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
if (off >= src->i_size || off + len > src->i_size)
|
if (off + len > src->i_size || off + len < off)
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
if (len == 0)
|
if (len == 0)
|
||||||
olen = len = src->i_size - off;
|
olen = len = src->i_size - off;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче