Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3502015rwa; Tue, 23 Aug 2022 05:57:22 -0700 (PDT) X-Google-Smtp-Source: AA6agR6S21+Bafjrv2GEgN3avhgw4PdcsJRj/c9+aq4QOGdUV2fxrkWKRqE0WSyk0UZhfHAoOra8 X-Received: by 2002:a63:db0b:0:b0:429:f039:74c5 with SMTP id e11-20020a63db0b000000b00429f03974c5mr20451473pgg.551.1661259441802; Tue, 23 Aug 2022 05:57:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661259441; cv=none; d=google.com; s=arc-20160816; b=hEcGrhH4n9TdZehk+p3M7X81+RTS+hzNFAbu7ueFmhLzCFyPaDMMkfAu1EoAATC6d0 atsJG9bz+42NgfVXjjzyEzE0T7oZeJb4xt64jCnR5wZ5E9rXEHlgzs685kTgmgZoUYhU 1HM2KqdQBJUHdSVNSCaVOdCFyZ4AFlRoOOD0ZaDuU8TpobR3zWrezH7FENJ1Ohs/myUS HZXrlT3jkQiwc/2vKc77iF+2ucOyUu8p3yeP4Aq42AhSWX0yoF4vWmdbTCKt5/2Sucyc rzLFIzZck1WFEe2agqpSNuoRds5N6O78ra5+6+ZuxFpA5mV4hDxWL/7t4i0Dfo9YXejr FAYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qtAxFfP6S4OFFYQe0DeVanu+giTripzowg5LjeG/9k8=; b=SJ9L48nqU1lSbkhOX2snZKTAgpod994MFVLFfXS9R1WdgqxfYEprHHAL3ogjQDTd6L O1wWuC0S3TSf+ZZD5yCGpAflwztOcWeWCu5m8XHBu/2V4suo7V/5bbxZShxU/O+9xVio 1nMLcBcpKZRBEZQlndIzo4X/NfrPOCWGlDt+KvXT1dPJhx/dTJIV0DFN9YOMwQDVgqSa NSwBJPgdo9JQ/svc4CuJaC/H8KDODxZFRxLwQNTqikwoG+hBsdGAR0XXi2aVB6RPnTW1 wQ/7971g7HQJ8OjQSc33M9FVLJYLNGCDs6ydP8TC/Z1jflxVssH+wGNYMYnCHNJ7vAfF oR2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z2sMjReY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a17-20020a63e411000000b00429cf3b6637si14984139pgi.697.2022.08.23.05.57.10; Tue, 23 Aug 2022 05:57:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z2sMjReY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240962AbiHWLI4 (ORCPT + 99 others); Tue, 23 Aug 2022 07:08:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52446 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357401AbiHWLGu (ORCPT ); Tue, 23 Aug 2022 07:06:50 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2339F6CF67; Tue, 23 Aug 2022 02:16:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 27FBBB81C66; Tue, 23 Aug 2022 09:16:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6025AC433C1; Tue, 23 Aug 2022 09:16:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661246169; bh=IGDBEkHT1pZ8hKcwC2DsQNonTbxCMoyXiydF2Q3tDkM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z2sMjReYt58wCyM7qnSpzW30onaS6vt50YOzSR2nK4u8ERpkW5biEPM9Y9oavGuwS HFiIvhtOy5Bi++da76/WpGEB4O086w/DTmwelSMfhd//pcHV+bSszl2zNkU828B+YP meWqS3Op6VTlAHg8OXn6DWmFzsb1+kknPDetT5S8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Jeff Layton , Namjae Jeon , stable@kernel.org, Alexander Viro , Steve French , Hyunchul Lee , Chuck Lever , Dave Wysochanski , Linus Torvalds Subject: [PATCH 5.4 023/389] vfs: Check the truncate maximum size in inode_newsize_ok() Date: Tue, 23 Aug 2022 10:21:41 +0200 Message-Id: <20220823080116.672111257@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080115.331990024@linuxfoundation.org> References: <20220823080115.331990024@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 upstream. If something manages to set the maximum file size to MAX_OFFSET+1, this can cause the xfs and ext4 filesystems at least to become corrupt. Ordinarily, the kernel protects against userspace trying this by checking the value early in the truncate() and ftruncate() system calls calls - but there are at least two places that this check is bypassed: (1) Cachefiles will round up the EOF of the backing file to DIO block size so as to allow DIO on the final block - but this might push the offset negative. It then calls notify_change(), but this inadvertently bypasses the checking. This can be triggered if someone puts an 8EiB-1 file on a server for someone else to try and access by, say, nfs. (2) ksmbd doesn't check the value it is given in set_end_of_file_info() and then calls vfs_truncate() directly - which also bypasses the check. In both cases, it is potentially possible for a network filesystem to cause a disk filesystem to be corrupted: cachefiles in the client's cache filesystem; ksmbd in the server's filesystem. nfsd is okay as it checks the value, but we can then remove this check too. Fix this by adding a check to inode_newsize_ok(), as called from setattr_prepare(), thereby catching the issue as filesystems set up to perform the truncate with minimal opportunity for bypassing the new check. Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") Fixes: f44158485826 ("cifsd: add file operations") Signed-off-by: David Howells Reported-by: Jeff Layton Tested-by: Jeff Layton Reviewed-by: Namjae Jeon Cc: stable@kernel.org Acked-by: Alexander Viro cc: Steve French cc: Hyunchul Lee cc: Chuck Lever cc: Dave Wysochanski Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/attr.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/attr.c +++ b/fs/attr.c @@ -134,6 +134,8 @@ EXPORT_SYMBOL(setattr_prepare); */ int inode_newsize_ok(const struct inode *inode, loff_t offset) { + if (offset < 0) + return -EINVAL; if (inode->i_size < offset) { unsigned long limit;