From 0d89fdae2afe833dd3025edd8c8287675d45c74e Mon Sep 17 00:00:00 2001 From: Carlos Maiolino Date: Thu, 9 Jan 2020 14:30:44 +0100 Subject: fibmap: Use bmap instead of ->bmap method in ioctl_fibmap Now we have the possibility of proper error return in bmap, use bmap() function in ioctl_fibmap() instead of calling ->bmap method directly. Signed-off-by: Carlos Maiolino Signed-off-by: Al Viro --- fs/ioctl.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) (limited to 'fs/ioctl.c') diff --git a/fs/ioctl.c b/fs/ioctl.c index 2f5e4e5b97e1..13327862f278 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -54,19 +54,29 @@ EXPORT_SYMBOL(vfs_ioctl); static int ioctl_fibmap(struct file *filp, int __user *p) { - struct address_space *mapping = filp->f_mapping; - int res, block; + struct inode *inode = file_inode(filp); + int error, ur_block; + sector_t block; - /* do we support this mess? */ - if (!mapping->a_ops->bmap) - return -EINVAL; if (!capable(CAP_SYS_RAWIO)) return -EPERM; - res = get_user(block, p); - if (res) - return res; - res = mapping->a_ops->bmap(mapping, block); - return put_user(res, p); + + error = get_user(ur_block, p); + if (error) + return error; + + block = ur_block; + error = bmap(inode, &block); + + if (error) + ur_block = 0; + else + ur_block = block; + + if (put_user(ur_block, p)) + error = -EFAULT; + + return error; } /** -- cgit v1.2.3 From 324282c0252a44a97d628813e30ea7258940d469 Mon Sep 17 00:00:00 2001 From: Carlos Maiolino Date: Thu, 9 Jan 2020 14:30:45 +0100 Subject: fibmap: Reject negative block numbers FIBMAP receives an integer from userspace which is then implicitly converted into sector_t to be passed to bmap(). No check is made to ensure userspace didn't send a negative block number, which can end up in an underflow, and returning to userspace a corrupted block address. As a side-effect, the underflow caused by a negative block here, will trigger the WARN() in iomap_bmap_actor(), which is how this issue was first discovered. Reviewed-by: Christoph Hellwig Signed-off-by: Carlos Maiolino Signed-off-by: Al Viro --- fs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'fs/ioctl.c') diff --git a/fs/ioctl.c b/fs/ioctl.c index 13327862f278..0be9bee9ff8f 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p) if (error) return error; + if (ur_block < 0) + return -EINVAL; + block = ur_block; error = bmap(inode, &block); -- cgit v1.2.3