Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759728Ab0G3Suq (ORCPT ); Fri, 30 Jul 2010 14:50:46 -0400 Received: from kroah.org ([198.145.64.141]:35684 "EHLO coco.kroah.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759392Ab0G3Rec (ORCPT ); Fri, 30 Jul 2010 13:34:32 -0400 X-Mailbox-Line: From gregkh@clark.site Fri Jul 30 10:31:06 2010 Message-Id: <20100730173106.635795939@clark.site> User-Agent: quilt/0.48-11.2 Date: Fri, 30 Jul 2010 10:30:08 -0700 From: Greg KH To: linux-kernel@vger.kernel.org, stable@kernel.org Cc: stable-review@kernel.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Dan Rosenberg , Chris Mason Subject: [043/140] Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE In-Reply-To: <20100730173205.GA22581@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1831 Lines: 53 2.6.33-stable review patch. If anyone has any objections, please let us know. ------------------ From: Dan Rosenberg commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream. 1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -952,7 +952,7 @@ static noinline long btrfs_ioctl_clone(s */ /* the destination must be opened for writing */ - if (!(file->f_mode & FMODE_WRITE)) + if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) return -EINVAL; ret = mnt_want_write(file->f_path.mnt); @@ -1005,7 +1005,7 @@ static noinline long btrfs_ioctl_clone(s /* determine range to clone */ ret = -EINVAL; - if (off >= src->i_size || off + len > src->i_size) + if (off + len > src->i_size || off + len < off) goto out_unlock; if (len == 0) olen = len = src->i_size - off; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/