aboutsummaryrefslogtreecommitdiff
path: root/scripts/gdb/linux/slab.py
diff options
context:
space:
mode:
authorDavid Howells <[email protected]>2022-08-08 09:52:35 +0100
committerLinus Torvalds <[email protected]>2022-08-08 10:39:29 -0700
commite2ebff9c57fe4eb104ce4768f6ebcccf76bef849 (patch)
tree6216adc07686f04a259bd6bb7a455d82636bbcfd /scripts/gdb/linux/slab.py
parent3466f49dd0dd9d30fe1e916b49fca1f4f99a3b66 (diff)
vfs: Check the truncate maximum size in inode_newsize_ok()
If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells <[email protected]> Reported-by: Jeff Layton <[email protected]> Tested-by: Jeff Layton <[email protected]> Reviewed-by: Namjae Jeon <[email protected]> Cc: [email protected] Acked-by: Alexander Viro <[email protected]> cc: Steve French <[email protected]> cc: Hyunchul Lee <[email protected]> cc: Chuck Lever <[email protected]> cc: Dave Wysochanski <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'scripts/gdb/linux/slab.py')
0 files changed, 0 insertions, 0 deletions