Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2890347rwb; Mon, 15 Aug 2022 13:24:33 -0700 (PDT) X-Google-Smtp-Source: AA6agR4gDfaStneLByQuRyM9OSnjxDrT+41KZwSKQJEAb5YamlWaaKcVEgQ5smA21gw9jO5dx08H X-Received: by 2002:a17:906:5d0b:b0:731:3310:4188 with SMTP id g11-20020a1709065d0b00b0073133104188mr11636511ejt.208.1660595073030; Mon, 15 Aug 2022 13:24:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660595073; cv=none; d=google.com; s=arc-20160816; b=rrbxJPB48fn/7Ry8tMoswGPLhpIZc1ugp35nT36z55evodQYO0wDm81vSCOpdUbdAC GUs7jnBG7dhhcPr0/LUAnYyHixNoy+aSRxudCg3hWMk1FYucnvnjXzY27ywvZQO7cr++ KXsRPIHhdTq1hWsv/A+R1U2TigK4OOWq4JWUjQ/ECS+sW0dqjKQAupdX1ENrFBESZeE2 CzNBlUX8QWFyu8y/XFmdWtHJFd+W1FIu9WH//bnKAPhxLhjV3Ob7yjJnXLNEcSgLjx53 KcyVH7UOm8i3/SHVnMvUTvxem8LHIhMPC4J/VEOCzi5KI6Ei9pRmSiwTUNG1oYouiu2j QOTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=p/+z4E5saC7nj6BKRzX4dJVmcsZQTBacRZAJ08klCZ8=; b=06f2NuBG4UX5h6jyfG36OIrqRby4s7yto//Uqpw2vRn0B9uuuO7Eud1imxOa7R2iZv 3/jrO8XtERFIWAwTEj21Yl6AgnJcP2JCoYZBK3O0q9L4yqIYJIOfdTruVB2V0AtBvkVl dc3THHfqneWcfyOu71Tf0HTdestkOgd93pzQ3hmDqlyceO/QWBJVS/w0wkeEqtTVNEfH PBOUG6gCd1EXXhtSMd1ZP7H5+qCSuYab61di03MTidmvEfysLt9e1nQOXSpUMsqMBCz0 JHpsvUMk4B6S2hIY01UaamUWUeojsUdTlenHsODWfsClDvDDaPUA3sWhxsJLgSRjy62f Td7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LfmRNZF+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a20-20020a170906469400b007308b971d64si7047939ejr.571.2022.08.15.13.24.04; Mon, 15 Aug 2022 13:24:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LfmRNZF+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244141AbiHOUSX (ORCPT + 99 others); Mon, 15 Aug 2022 16:18:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243999AbiHOUKj (ORCPT ); Mon, 15 Aug 2022 16:10:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 833296424; Mon, 15 Aug 2022 11:56:28 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 35BF9B81057; Mon, 15 Aug 2022 18:56:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A3002C433C1; Mon, 15 Aug 2022 18:56:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660589785; bh=e1bcoMHQ8z6gZIrlyNFmAhWYxrybUozV7Q7y76/g4bc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LfmRNZF+NPwRTssJk7wrAMdfKhXqB7a9Ox3e4dk2aa5Glhf+X/4Yd3xwSpmYOY2DL Z5OUxC3WwM5DL2xGVLhD9W9zdAy/UeVRWV32QdkkGOEALL1bUPLWy05rQw92DVf4YG RBcsNjgxWHaLXNR0FulE2iGfyj6bnC++ETgMZLlY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 5.18 0047/1095] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Mon, 15 Aug 2022 19:50:46 +0200 Message-Id: <20220815180431.398765259@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180429.240518113@linuxfoundation.org> References: <20220815180429.240518113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;