Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE

1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> cc: stable@kernel.org Signed-off-by: Chris Mason <chris.mason@oracle.com>
author: Dan Rosenberg <dan.j.rosenberg@gmail.com> 2010-07-19 16:58:20 -0400
committer: Chris Mason <chris.mason@oracle.com> 2010-07-19 16:58:20 -0400
commit: 2ebc3464781ad24474abcbd2274e6254689853b5 (patch)
tree: 3d58dfcc14948672c0aac1636cdd57cbe46a135d /fs
parent: b5384d48f4e74edec3ca1887cb65e378a72af9a1 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 2a8b3a7568ad..9254b3d58dbe 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1458,7 +1458,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
         */
        /* the destination must be opened for writing */
-        if (!(file->f_mode & FMODE_WRITE))
+        if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND))
                return -EINVAL;
        ret = mnt_want_write(file->f_path.mnt);
@@ -1511,7 +1511,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
        /* determine range to clone */
        ret = -EINVAL;
-        if (off >= src->i_size || off + len > src->i_size)
+        if (off + len > src->i_size || off + len < off)
                goto out_unlock;
        if (len == 0)
                olen = len = src->i_size - off;
author	Dan Rosenberg <dan.j.rosenberg@gmail.com>	2010-07-19 16:58:20 -0400
committer	Chris Mason <chris.mason@oracle.com>	2010-07-19 16:58:20 -0400
commit	2ebc3464781ad24474abcbd2274e6254689853b5 (patch)
tree	3d58dfcc14948672c0aac1636cdd57cbe46a135d /fs
parent	b5384d48f4e74edec3ca1887cb65e378a72af9a1 (diff)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 2a8b3a7568ad..9254b3d58dbe 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c
@@ -1458,7 +1458,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
1458	*/	1458	*/
1459		1459
1460	/* the destination must be opened for writing */	1460	/* the destination must be opened for writing */
1461	if (!(file->f_mode & FMODE_WRITE))	1461	if (!(file->f_mode & FMODE_WRITE) \|\| (file->f_flags & O_APPEND))
1462	return -EINVAL;	1462	return -EINVAL;
1463		1463
1464	ret = mnt_want_write(file->f_path.mnt);	1464	ret = mnt_want_write(file->f_path.mnt);
@@ -1511,7 +1511,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
1511		1511
1512	/* determine range to clone */	1512	/* determine range to clone */
1513	ret = -EINVAL;	1513	ret = -EINVAL;
1514	if (off >= src->i_size \|\| off + len > src->i_size)	1514	if (off + len > src->i_size \|\| off + len < off)
1515	goto out_unlock;	1515	goto out_unlock;
1516	if (len == 0)	1516	if (len == 0)
1517	olen = len = src->i_size - off;	1517	olen = len = src->i_size - off;