Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3469834rwa; Tue, 23 Aug 2022 05:24:28 -0700 (PDT) X-Google-Smtp-Source: AA6agR5+wZpjtF+3S+ucotqpIrlIn5kqAfsasQFyt7khZsTTQqgVLSdgIXbojsnhVOXgnLDO+1+c X-Received: by 2002:a05:6a00:9a5:b0:536:29e:c91d with SMTP id u37-20020a056a0009a500b00536029ec91dmr20966463pfg.22.1661257467793; Tue, 23 Aug 2022 05:24:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661257467; cv=none; d=google.com; s=arc-20160816; b=jmLtI7SLJabDDNJ1aGTj4itzfDeBNsVxT2f0LedYw3lDjoVO4LGLnQfA8CMbnJDVOv 3QH00TNTd88g8wcnGU1dN0y3pp22qv5pfj6GyfK3pIeAeAVjLMTd+Jrdjb5So9rkQKQr xJvnx9O+X6qKiDR/dNe4ZPnsaPRY9wGcgurAm581VFKzCI+pa6x5fZdgY3zOOjm24dYJ gg2vZmhi246wnEvqLYhySJkfrNLlwW9ulKJ8idglH3y34XrDV3BIqL1yP/C8PN169n89 vQ3VrPvYCAEOK+aDh3lHmLU1U1eBmKVgfLuw8VFmMMta6m0Th0DyG62uH+CyNMxQBx0r pAtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qtAxFfP6S4OFFYQe0DeVanu+giTripzowg5LjeG/9k8=; b=AtZZ5jOP55cqKMMtiP7EEWORUL3gyt2v0JbH/D56JTt1aS2KWKtcCGC3EmjrEJy0Cg qaTfLH/gCvH7Lt6RI6symozqvp31djY6e2ffAryaPAY9Nn6OMgGUXx8ecXLDDlEbzyUy AkzeXNN2Zk9AmOuiMPGKYbBERRrXsVKGT/IddTeYk4h4oo4/omlGfscUHdqQFu+9zqm1 sthRQggQN8YsUBb6SdBdZVBVJ4MhE0SEIh4xjVhQHfsHtD6cRUeveSMDfjc8XIZLjnG/ rMPYNdm4Y6SxkmNWyVcPIOaGf7cgRobNpX92BLjgXedgW5czKBOqLwWd1f0X0NL6l7yp /nJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ziU1jtNn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y8-20020a17090322c800b00172dab46a8asi9772654plg.151.2022.08.23.05.24.17; Tue, 23 Aug 2022 05:24:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ziU1jtNn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355221AbiHWKb0 (ORCPT + 99 others); Tue, 23 Aug 2022 06:31:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353205AbiHWKPP (ORCPT ); Tue, 23 Aug 2022 06:15:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2767C74348; Tue, 23 Aug 2022 02:00:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id D7AA0B81C3A; Tue, 23 Aug 2022 09:00:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 11416C433C1; Tue, 23 Aug 2022 09:00:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661245236; bh=IGDBEkHT1pZ8hKcwC2DsQNonTbxCMoyXiydF2Q3tDkM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ziU1jtNn+f6ZaeGART+6b6BAtdmPztUnR80WSlyDR62AgF7WCL66OUaqN1SOF29Z0 CN7E0gFsbLr/uc/H0B2u14YgquOkf0yHE3IzSFJ+Sj+vuoYV4by6rBJAW3SPNsA1cE ByobVMECg4NfOIXknc/1q6mIKUfqwcFe88UOkZZg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 4.19 015/287] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Tue, 23 Aug 2022 10:23:04 +0200 Message-Id: <20220823080100.798358252@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080100.268827165@linuxfoundation.org> References: <20220823080100.268827165@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -134,6 +134,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;