summaryrefslogtreecommitdiffstats
path: root/fs/ioctl.c
diff options
context:
space:
mode:
authorCarlos Maiolino <cmaiolino@redhat.com>2020-01-09 14:30:45 +0100
committerAl Viro <viro@zeniv.linux.org.uk>2020-02-03 14:05:58 +0100
commit324282c0252a44a97d628813e30ea7258940d469 (patch)
treea22618816695a6fa7e078319ba003be102bba12f /fs/ioctl.c
parentfibmap: Use bmap instead of ->bmap method in ioctl_fibmap (diff)
downloadlinux-324282c0252a44a97d628813e30ea7258940d469.tar.xz
linux-324282c0252a44a97d628813e30ea7258940d469.zip
fibmap: Reject negative block numbers
FIBMAP receives an integer from userspace which is then implicitly converted into sector_t to be passed to bmap(). No check is made to ensure userspace didn't send a negative block number, which can end up in an underflow, and returning to userspace a corrupted block address. As a side-effect, the underflow caused by a negative block here, will trigger the WARN() in iomap_bmap_actor(), which is how this issue was first discovered. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/ioctl.c')
-rw-r--r--fs/ioctl.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 13327862f278..0be9bee9ff8f 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
if (error)
return error;
+ if (ur_block < 0)
+ return -EINVAL;
+
block = ur_block;
error = bmap(inode, &block);