summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorDan Rosenberg <dan.j.rosenberg@gmail.com>2010-07-19 16:58:20 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2010-08-02 10:26:32 -0700
commit31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2 (patch)
treead18430408cc3bba9737dbf39cb5a60114cc4b11 /fs
parent394c17d4076fe95d0033e6be390629c8fbb6ebdb (diff)
downloadlwn-31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2.tar.gz
lwn-31f2ec9a89ba61ae1c3cfcd987567f14462a9cb2.zip
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream. 1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Signed-off-by: Chris Mason <chris.mason@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs')
-rw-r--r--fs/btrfs/ioctl.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 2c6ee6aacb26..0bc577695061 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -952,7 +952,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
*/
/* the destination must be opened for writing */
- if (!(file->f_mode & FMODE_WRITE))
+ if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND))
return -EINVAL;
ret = mnt_want_write(file->f_path.mnt);
@@ -1005,7 +1005,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
/* determine range to clone */
ret = -EINVAL;
- if (off >= src->i_size || off + len > src->i_size)
+ if (off + len > src->i_size || off + len < off)
goto out_unlock;
if (len == 0)
olen = len = src->i_size - off;