From patchwork Wed May 30 07:59:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chengguang Xu <cgxu519@gmx.com>
X-Patchwork-Id: 10437835
Return-Path: <ceph-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4C4D7602CC for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 30 May 2018 08:00:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FC3728695
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 30 May 2018 08:00:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 32AD0288B4; Wed, 30 May 2018 08:00:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,FREEMAIL_FROM,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2245028695
	for <patchwork-ceph-devel@patchwork.kernel.org>;
	Wed, 30 May 2018 08:00:35 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935884AbeE3IAd (ORCPT
	<rfc822;patchwork-ceph-devel@patchwork.kernel.org>);
	Wed, 30 May 2018 04:00:33 -0400
Received: from mout.gmx.net ([212.227.15.19]:46977 "EHLO mout.gmx.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S935164AbeE3IAc (ORCPT <rfc822;ceph-devel@vger.kernel.org>);
	Wed, 30 May 2018 04:00:32 -0400
Received: from localhost.localdomain ([122.224.77.194]) by mail.gmx.com
	(mrgmx001 [212.227.17.184]) with ESMTPSA (Nemesis) id
	0Mbwm6-1fdokj1gZi-00JLlC; Wed, 30 May 2018 10:00:24 +0200
From: Chengguang Xu <cgxu519@gmx.com>
To: ceph-devel@vger.kernel.org
Cc: zyan@redhat.com, idryomov@gmail.com, Chengguang Xu <cgxu519@gmx.com>
Subject: [PATCH v2] ceph: strengthen the validation check about
	rsize/wsize/readdir_max_bytes
Date: Wed, 30 May 2018 15:59:51 +0800
Message-Id: <20180530075951.32160-1-cgxu519@gmx.com>
X-Mailer: git-send-email 2.17.0
X-Provags-ID: V03:K1:ozAUuoQkfTHG23yhtcUCUgBMDSnfX0d5d33Vs49g7cGm11bd5lA
	jdch23XAhNmBSlHWQscYb8HvzynYyFvLmJvbMRdgdjf3Y5NJM9VXWLpA85QWdseEX9kUPAL
	XAtjtzlCPyqcdWbLfhTc0A9Vr03c3+Hg87Ca8OXzz1Dg0gHvT9gldgXt4pIJzJP7ghw0gyD
	CxMK4/AjDka/8lDkgW5HQ==
X-UI-Out-Filterresults: notjunk:1; V01:K0:Ho3REkUtRZY=:I1HxKchSJGNugWua0FxJsw
	xIIVbf5US/Xxg4bD+F+MuhHzz3B9SPPS0fmULt2ezyh07XffJuJvTWjSh8RPlcQjBaS3A0DuL
	zjIUlmzTO4MDj53nkXwwY7ZlQVOdyt4g9mYbChv+dyM4MB+hra/ZNk1L3FkEQgSv/kzqYlEDk
	qD58ws7XHbdCUHKmRn0iQJb84MyfI/eMPASiQtkfXeT4TYP6IYZFsXGkFuTqwvN2eU7CbnmpS
	kjOvzTuI4lx7PClN8PTZ/Q6eXaHMhNxnfFdUIL+HZvZJEbb5+wEilwAakGxbbKymSjfv28pp4
	NsJpsNgKlSNDD9WRn+WuCtEWSvYb97Am6CZJmKNmYQ/z46fQ9Fs5AmdD8SoM2hF1gXjuY84Du
	q6oPgth+ciP+Bf8xAq9yeM5IkWKF7SiaaapAVWtgsPYBEs0UbTP0OV9jLtc7DYBOMAYbx00O0
	aRy5p0NjaTxL4tGhU/O5qHY/UgpvwunRiaMr83ZODzY8oTeVMZnw61nakqIsYjuozrDwbqZ4A
	C63eFv4EPddlFoghpXPe17TvzXcJvyN7C9+uR0tCkVdGlUZEFjsstwmwB73xM98YHWVejSZLC
	2rsqtulmz/2jRCGrHlitZI6ud9coB1aKKc1dq+adXKEffopMAlylO6XGtd3wAQbqcUAjOSfEw
	/jyfkGdwS4du/Dm2eqxlqVVkBn6tJXSqg+ZmtMoXaOsmpn00VYfULAA7PW9x/Bj6Q6/FVthXD
	zxt0fdC23yXiYe1aWT5hClbN/sYtTnBtEYiyRn1PdxUhKglQUulwDc5ryHc=
Sender: ceph-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <ceph-devel.vger.kernel.org>
X-Mailing-List: ceph-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The check(intval < PAGE_SIZE) will involve type cast to intval,
so even when specifying negative value to rsize/wsize/readdir_max_bytes,
it will pass the validation check successfully.

Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
---
v1->v2:
- strengthen the validation check for readdir_max_bytes as well.

 fs/ceph/super.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/ceph/super.c b/fs/ceph/super.c
index b33082e6878f..d7e140830d0b 100644
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -256,12 +256,14 @@ static int parse_fsopt_token(char *c, void *private)
 		break;
 		/* misc */
 	case Opt_wsize:
-		if (intval < PAGE_SIZE || intval > CEPH_MAX_WRITE_SIZE)
+		if (intval < 0 ||
+			intval < PAGE_SIZE || intval > CEPH_MAX_WRITE_SIZE)
 			return -EINVAL;
 		fsopt->wsize = ALIGN(intval, PAGE_SIZE);
 		break;
 	case Opt_rsize:
-		if (intval < PAGE_SIZE || intval > CEPH_MAX_READ_SIZE)
+		if (intval < 0 ||
+			intval < PAGE_SIZE || intval > CEPH_MAX_READ_SIZE)
 			return -EINVAL;
 		fsopt->rsize = ALIGN(intval, PAGE_SIZE);
 		break;
@@ -286,7 +288,7 @@ static int parse_fsopt_token(char *c, void *private)
 		fsopt->max_readdir = intval;
 		break;
 	case Opt_readdir_max_bytes:
-		if (intval < PAGE_SIZE && intval != 0)
+		if (intval < 0 || (intval < PAGE_SIZE && intval != 0))
 			return -EINVAL;
 		fsopt->max_readdir_bytes = intval;
 		break;