Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3027203rwb; Mon, 15 Aug 2022 16:25:30 -0700 (PDT) X-Google-Smtp-Source: AA6agR7E5b8ZGbhMiY1m6ykgj9cTdobFxL4pEPm3HdHcMfFCsF6SJaVPne4RtQyRHMm24Jw2tyNY X-Received: by 2002:a05:6402:612:b0:43d:5049:4d0f with SMTP id n18-20020a056402061200b0043d50494d0fmr16166277edv.127.1660605837973; Mon, 15 Aug 2022 16:23:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660605837; cv=none; d=google.com; s=arc-20160816; b=irUp9wt51Dnvg+pLtnwGH2QvBG1RIobWdcbLdYTjrgBlmGu5Puuwse0xfPMzZ9TE2i w6VHgBBliOH6MFea3mvOYbza5dbGwb2qcS1EZK1z9g0Ffq1z0YATatgOAY1QQEune34i YABxry9WNkbXMh1Ow0W8blAlorGXa7w2bLFnfHn+5JTQcna6zKe1cFsOqXY9FiRIXtt6 tOJPWMO7xUkMC3PXPhuF507QmMQpcuioZ7nE2GdtcWbh1zpcOuVThdzk8YyB2LnzUXG+ jW63y0Qs+7BbU66gDJYk3Q9QJxbiqJxaRUq4QMHeLCmEOE8F5EIFUtBW+BIsiNgnutPS 37xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=p/+z4E5saC7nj6BKRzX4dJVmcsZQTBacRZAJ08klCZ8=; b=fnHBNC8l+c/ZSaYfn2Pl++Fauvfti8f9G8i9e+RTUR7HkNbU+29mJ4atJ8Vuoy6IBm zJMBkM3zAsSn4/0g5Z6UDtFKro8Hk92LjuY++oC0qzIJHBPrPsI8Op7caNWOinCwP+YR 64rVIXc4Pczn9in7MBMtP1xzTY5HNPWP2wdl3FW4vB2qcknS6jw6yxjstURwxax9D/fj cCbW78ics1Ag7A3WAaxv6ueG2DKYa7SYUiP78dt3Ov1oN2cTAukam5TaQIQpzkNxlp75 8lO3MI3T4MTmnd6NVujg59c/tcewdWYD3mA4kd0x6tHbt/67x8N9Q0ljLXRMPkQ8OJcG yDkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=phGKZyY0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dm5-20020a170907948500b00738553043e5si3562385ejc.573.2022.08.15.16.23.32; Mon, 15 Aug 2022 16:23:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=phGKZyY0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344290AbiHOWDy (ORCPT + 99 others); Mon, 15 Aug 2022 18:03:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348990AbiHOWBZ (ORCPT ); Mon, 15 Aug 2022 18:01:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EC8810EEDD; Mon, 15 Aug 2022 12:35:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 60C1C61089; Mon, 15 Aug 2022 19:35:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 448E0C433D6; Mon, 15 Aug 2022 19:35:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660592152; bh=e1bcoMHQ8z6gZIrlyNFmAhWYxrybUozV7Q7y76/g4bc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=phGKZyY0K/2zKzift24YxRkAiSBpX9yL1AQb0vAoI8dD080+Qlu6FxmNEpG2dXz7E 6wyXNyCOY6+k4RXxdBoSSmxdS+kU6hH5FMsU/fhN6ti/2tTHuxaTHQUtpz6jnX0RZZ Kl7a+Dau/dWX5JrB7MPxpNPHc7jtWN99liMAP3D8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 5.19 0053/1157] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Mon, 15 Aug 2022 19:50:09 +0200 Message-Id: <20220815180441.572481916@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180439.416659447@linuxfoundation.org> References: <20220815180439.416659447@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;