Commit 324282c0 authored by Carlos Maiolino's avatar Carlos Maiolino Committed by Al Viro

fibmap: Reject negative block numbers

FIBMAP receives an integer from userspace which is then implicitly converted
into sector_t to be passed to bmap(). No check is made to ensure userspace
didn't send a negative block number, which can end up in an underflow, and
returning to userspace a corrupted block address.

As a side-effect, the underflow caused by a negative block here, will
trigger the WARN() in iomap_bmap_actor(), which is how this issue was
first discovered.
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarCarlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 0d89fdae
...@@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p) ...@@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
if (error) if (error)
return error; return error;
if (ur_block < 0)
return -EINVAL;
block = ur_block; block = ur_block;
error = bmap(inode, &block); error = bmap(inode, &block);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment