diff options
author | Dan Rosenberg <dan.j.rosenberg@gmail.com> | 2010-07-19 16:58:20 -0400 |
---|---|---|
committer | Chris Mason <chris.mason@oracle.com> | 2010-07-19 16:58:20 -0400 |
commit | 2ebc3464781ad24474abcbd2274e6254689853b5 (patch) | |
tree | 3d58dfcc14948672c0aac1636cdd57cbe46a135d | |
parent | b5384d48f4e74edec3ca1887cb65e378a72af9a1 (diff) |
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.
2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around). I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't. Even if it's not
exploitable, it couldn't hurt to be safe.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
cc: stable@kernel.org
Signed-off-by: Chris Mason <chris.mason@oracle.com>
-rw-r--r-- | fs/btrfs/ioctl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 2a8b3a7568ad..9254b3d58dbe 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c | |||
@@ -1458,7 +1458,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, | |||
1458 | */ | 1458 | */ |
1459 | 1459 | ||
1460 | /* the destination must be opened for writing */ | 1460 | /* the destination must be opened for writing */ |
1461 | if (!(file->f_mode & FMODE_WRITE)) | 1461 | if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) |
1462 | return -EINVAL; | 1462 | return -EINVAL; |
1463 | 1463 | ||
1464 | ret = mnt_want_write(file->f_path.mnt); | 1464 | ret = mnt_want_write(file->f_path.mnt); |
@@ -1511,7 +1511,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, | |||
1511 | 1511 | ||
1512 | /* determine range to clone */ | 1512 | /* determine range to clone */ |
1513 | ret = -EINVAL; | 1513 | ret = -EINVAL; |
1514 | if (off >= src->i_size || off + len > src->i_size) | 1514 | if (off + len > src->i_size || off + len < off) |
1515 | goto out_unlock; | 1515 | goto out_unlock; |
1516 | if (len == 0) | 1516 | if (len == 0) |
1517 | olen = len = src->i_size - off; | 1517 | olen = len = src->i_size - off; |