| From fc2f6de11ad98a998140b9bcb573c9c53bd9f969 Mon Sep 17 00:00:00 2001 |
| From: Zach Brown <zab@redhat.com> |
| Date: Tue, 24 Jul 2012 12:10:11 -0700 |
| Subject: [PATCH] fuse: verify all ioctl retry iov elements |
| |
| commit fb6ccff667712c46b4501b920ea73a326e49626a upstream. |
| |
| Commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 attempted to verify that |
| the total iovec from the client doesn't overflow iov_length() but it |
| only checked the first element. The iovec could still overflow by |
| starting with a small element. The obvious fix is to check all the |
| elements. |
| |
| The overflow case doesn't look dangerous to the kernel as the copy is |
| limited by the length after the overflow. This fix restores the |
| intention of returning an error instead of successfully copying less |
| than the iovec represented. |
| |
| I found this by code inspection. I built it but don't have a test case. |
| I'm cc:ing stable because the initial commit did as well. |
| |
| Signed-off-by: Zach Brown <zab@redhat.com> |
| Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| fs/fuse/file.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/fs/fuse/file.c b/fs/fuse/file.c |
| index f6104a958812..102d58297174 100644 |
| --- a/fs/fuse/file.c |
| +++ b/fs/fuse/file.c |
| @@ -1664,7 +1664,7 @@ static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count) |
| size_t n; |
| u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT; |
| |
| - for (n = 0; n < count; n++) { |
| + for (n = 0; n < count; n++, iov++) { |
| if (iov->iov_len > (size_t) max) |
| return -ENOMEM; |
| max -= iov->iov_len; |
| -- |
| 1.8.5.2 |
| |