| Message ID | 20240801071707.8296-1-r.smirnov@omp.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [f2fs-dev] f2fs: file: add checks to f2fs_ioc_flush_device() | expand |
On 2024/8/1 15:17, Roman Smirnov wrote: > If invalid data is copied from user space and if GET_SEGNO() > returns NULL_SEGNO an overflow is possible. Can you explain in which condition that FDEV(range.dev_num).start_blk or FDEV(range.dev_num).end_blk will be invalid? > > Add checks for invalid values. > > Found by Linux Verification Center (linuxtesting.org) with Svace. > > Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> > --- > fs/f2fs/file.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c > index 168f08507004..1b9c4fee9db1 100644 > --- a/fs/f2fs/file.c > +++ b/fs/f2fs/file.c > @@ -3093,6 +3093,9 @@ static int f2fs_ioc_flush_device(struct file *filp, unsigned long arg) > start_segno = dev_start_segno; > end_segno = min(start_segno + range.segments, dev_end_segno); > > + if (start_segno > F2FS_MAX_SEGMENT - range.segments || end_segno == NULL_SEGNO) > + return -EINVAL; It missed to call mnt_drop_write_file() before return. Thanks, > + > while (start_segno < end_segno) { > if (!f2fs_down_write_trylock(&sbi->gc_lock)) { > ret = -EBUSY;
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 168f08507004..1b9c4fee9db1 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -3093,6 +3093,9 @@ static int f2fs_ioc_flush_device(struct file *filp, unsigned long arg) start_segno = dev_start_segno; end_segno = min(start_segno + range.segments, dev_end_segno); + if (start_segno > F2FS_MAX_SEGMENT - range.segments || end_segno == NULL_SEGNO) + return -EINVAL; + while (start_segno < end_segno) { if (!f2fs_down_write_trylock(&sbi->gc_lock)) { ret = -EBUSY;
If invalid data is copied from user space and if GET_SEGNO() returns NULL_SEGNO an overflow is possible. Add checks for invalid values. Found by Linux Verification Center (linuxtesting.org) with Svace. Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> --- fs/f2fs/file.c | 3 +++ 1 file changed, 3 insertions(+)