diff options
| author |   Bobi Jam <bobijam.xu@intel.com> | 2014-04-27 13:07:11 -0400 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-04-27 10:31:01 -0700 |
| commit | ebdc4fc54d5defaa20417eabeb7a8d7b400fd53c (patch) | |
| tree | 6df4a449597ed90484b3ecf19df3a758936031fc /drivers/staging/lustre/lustre/llite/file.c | |
| parent | staging/lustre: Fix unsafe userspace access in many proc files (diff) | |
| download | linux-dev-ebdc4fc54d5defaa20417eabeb7a8d7b400fd53c.tar.xz linux-dev-ebdc4fc54d5defaa20417eabeb7a8d7b400fd53c.zip | |
staging/lustre/llite: prevent buffer overflow in fiemap
lov_fiemap() does not take consider its @vallen parameter, which is
the max buffer size the caller can hold for the fiemap extents.
This patch fixes this and limits the max mapped fiemap extent count
to fit in the preallocted buffer.
This patch also fixes a memory out of bound write issue when the
fiemap call is only for detecting the number of existing extent.
Signed-off-by: Bobi Jam <bobijam.xu@intel.com>
Reviewed-on: http://review.whamcloud.com/9834
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4619
Reviewed-by: Fan Yong <fan.yong@intel.com>
Reviewed-by: Patrick Farrell <paf@cray.com>
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/lustre/lustre/llite/file.c')
| -rw-r--r-- | drivers/staging/lustre/lustre/llite/file.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c index 79accc5ac0bb..562e33751197 100644 --- a/drivers/staging/lustre/lustre/llite/file.c +++ b/drivers/staging/lustre/lustre/llite/file.c @@ -1721,12 +1721,12 @@ out: * Make the FIEMAP get_info call and returns the result. */ static int ll_do_fiemap(struct inode *inode, struct ll_user_fiemap *fiemap, - int num_bytes) + size_t num_bytes) { struct obd_export *exp = ll_i2dtexp(inode); struct lov_stripe_md *lsm = NULL; struct ll_fiemap_info_key fm_key = { .name = KEY_FIEMAP, }; - int vallen = num_bytes; + __u32 vallen = num_bytes; int rc; /* Checks for fiemap flags */ @@ -3080,15 +3080,18 @@ static int ll_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, fiemap->fm_extent_count = fieinfo->fi_extents_max; fiemap->fm_start = start; fiemap->fm_length = len; - memcpy(&fiemap->fm_extents[0], fieinfo->fi_extents_start, - sizeof(struct ll_fiemap_extent)); + if (extent_count > 0) + memcpy(&fiemap->fm_extents[0], fieinfo->fi_extents_start, + sizeof(struct ll_fiemap_extent)); rc = ll_do_fiemap(inode, fiemap, num_bytes); fieinfo->fi_flags = fiemap->fm_flags; fieinfo->fi_extents_mapped = fiemap->fm_mapped_extents; - memcpy(fieinfo->fi_extents_start, &fiemap->fm_extents[0], - fiemap->fm_mapped_extents * sizeof(struct ll_fiemap_extent)); + if (extent_count > 0) + memcpy(fieinfo->fi_extents_start, &fiemap->fm_extents[0], + fiemap->fm_mapped_extents * + sizeof(struct ll_fiemap_extent)); OBD_FREE_LARGE(fiemap, num_bytes); return rc; |