Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2884794rwb; Mon, 15 Aug 2022 13:17:19 -0700 (PDT) X-Google-Smtp-Source: AA6agR5PvC8u8AQundDjOrGJ2xVCLlSGDGCxcUeRTBgWRVvI6JV8sBx/7AELEDuvVIlJvk6CH+rL X-Received: by 2002:aa7:cf18:0:b0:43d:34e:11b9 with SMTP id a24-20020aa7cf18000000b0043d034e11b9mr16083277edy.145.1660594638783; Mon, 15 Aug 2022 13:17:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660594638; cv=none; d=google.com; s=arc-20160816; b=M98l49adI9ejEDhC5IQrGLmMF15uYDIFonir1vK2OdXFWk8xx5T+HkrPWhUVRtOUEu k9eWVKrHJngkjg5spPsKp2QCYgbF14Y0IZDuK9WJIB9fF3YR8zq26S1G5+0+JKWBtpDN L6g7aouLqTavGp5g1MkoYFtF8MZjBumI+Xv+Xaocv1npSMttSOyvxMzIve2Bm9ZGqXdn Q+jAv1SwqX7IZDR6jokoNuAQq9ci4NApcZd1vRcDCfpuO+rxc5ntpuOl1omdJq3UeuxM SauhfXyLTKvsx4HDCMsGdJzunzeIoICW6CHlV7amee/xnza2mINlAUU37sfx4XtQTIU+ UJLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=p/+z4E5saC7nj6BKRzX4dJVmcsZQTBacRZAJ08klCZ8=; b=A4JoEss6q/fIwQh6ldMmpg6kIKiLPoXjUzmNRXxtLQZslyRrtKpXnIlx2nLy/IVQCI HYHL7qvxJI6uQqmfMioMu1zgJsm+tQoJS0LInzH7rVb83qaypzhvLkd5MdmnNzBjkXyU PMS5a+H1AX6dTxo6KqBzAFygp8b/oE30JeGskqNdx5pEbMsjZvQxeaVmBK98qijzWq9V oNfJbGRa6/zvEw3xwIH5n71AEGkoOuqouvo6xqrJal9lgjnF0NsWMv52rLDkPF8R/M7W aXo88RCjPiK1numYbM4hlJ43J5M0ny8diMOryKzz21NQMrH8R786UtPtFMifJk0Eq/5y yUVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="qO/k6c9S"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i14-20020a05640242ce00b0043d646c3ef9si10089187edc.259.2022.08.15.13.16.53; Mon, 15 Aug 2022 13:17:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="qO/k6c9S"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239620AbiHOSRn (ORCPT + 99 others); Mon, 15 Aug 2022 14:17:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239417AbiHOSQ7 (ORCPT ); Mon, 15 Aug 2022 14:16:59 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A0572B1A4; Mon, 15 Aug 2022 11:15:02 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 76493B80F99; Mon, 15 Aug 2022 18:15:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9203BC4314F; Mon, 15 Aug 2022 18:14:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660587299; bh=e1bcoMHQ8z6gZIrlyNFmAhWYxrybUozV7Q7y76/g4bc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qO/k6c9SPQBCijM86BZdMT9t1FN0XBny0rC4+konVU4XKPIievVA+sGQfRyGsUd4B BQ0Ylh0OIxUG4jwqQXwFK/cNHhHcE2J3o/yzDtLm+NoKdVPxbbXgl6yL0wOVaTeYQr CV459nW37H25X99gS1b73uxEsuQgxSs7pCm0hSMU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 5.15 040/779] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Mon, 15 Aug 2022 19:54:44 +0200 Message-Id: <20220815180338.945463920@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180337.130757997@linuxfoundation.org> References: <20220815180337.130757997@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;