xfs: fix type confusion in xfs_ioc_swapext

When calling fdget() in xfs_ioc_swapext(), we need to verify that
the file descriptors passed into the ioctl point to XFS inodes
before we start operations on them. If we don't do this, we could be
referencing arbitrary kernel memory as an XFS inode. THis could lead
to memory corruption and/or performing locking operations on
attacker-chosen structures in kernel memory.

[dchinner: rewrite commit message ]
[dchinner: add comment explaining new check ]

Signed-off-by: Jann Horn <jann@thejh.net>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index dbca7375deef..408f3ad348ab 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1575,6 +1575,17 @@ xfs_ioc_swapext(
                 goto out_put_tmp_file;
         }
 
+        /*
+         * We need to ensure that the fds passed in point to XFS inodes
+         * before we cast and access them as XFS structures as we have no
+         * control over what the user passes us here.
+         */
+        if (f.file->f_op != &xfs_file_operations ||
+            tmp.file->f_op != &xfs_file_operations) {
+                error = -EINVAL;
+                goto out_put_tmp_file;
+        }
+
         ip = XFS_I(file_inode(f.file));
         tip = XFS_I(file_inode(tmp.file));