Skip to content

Commit

Permalink
fibmap: Reject negative block numbers
Browse files Browse the repository at this point in the history 
FIBMAP receives an integer from userspace which is then implicitly converted
into sector_t to be passed to bmap(). No check is made to ensure userspace
didn't send a negative block number, which can end up in an underflow, and
returning to userspace a corrupted block address.

As a side-effect, the underflow caused by a negative block here, will
trigger the WARN() in iomap_bmap_actor(), which is how this issue was
first discovered.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
  • Loading branch information
Carlos Maiolino authored and Al Viro committed Feb 3, 2020
1 parent 0d89fda commit 324282c
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions fs/ioctl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
if (error)
return error;

if (ur_block < 0)
return -EINVAL;

block = ur_block;
error = bmap(inode, &block);

Expand Down

0 comments on commit 324282c

Please sign in to comment.