Commit eb59bd17 authored by Miklos Szeredi's avatar Miklos Szeredi

fuse: verify attributes

If a filesystem returns negative inode sizes, future reads on the file were
causing the cpu to spin on truncate_pagecache.

Create a helper to validate the attributes.  This now does two things:

 - check the file mode
 - check if the file size fits in i_size without overflowing
Reported-by: default avatarArijit Banerjee <arijit@rubrik.com>
Fixes: d8a5ba45 ("[PATCH] FUSE - core")
Cc: <stable@vger.kernel.org> # v2.6.14
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 31f4f5b4
...@@ -248,7 +248,8 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags) ...@@ -248,7 +248,8 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)
kfree(forget); kfree(forget);
if (ret == -ENOMEM) if (ret == -ENOMEM)
goto out; goto out;
if (ret || (outarg.attr.mode ^ inode->i_mode) & S_IFMT) if (ret || fuse_invalid_attr(&outarg.attr) ||
(outarg.attr.mode ^ inode->i_mode) & S_IFMT)
goto invalid; goto invalid;
forget_all_cached_acls(inode); forget_all_cached_acls(inode);
...@@ -319,6 +320,12 @@ int fuse_valid_type(int m) ...@@ -319,6 +320,12 @@ int fuse_valid_type(int m)
S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m); S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);
} }
bool fuse_invalid_attr(struct fuse_attr *attr)
{
return !fuse_valid_type(attr->mode) ||
attr->size > LLONG_MAX;
}
int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name, int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name,
struct fuse_entry_out *outarg, struct inode **inode) struct fuse_entry_out *outarg, struct inode **inode)
{ {
...@@ -350,7 +357,7 @@ int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name ...@@ -350,7 +357,7 @@ int fuse_lookup_name(struct super_block *sb, u64 nodeid, const struct qstr *name
err = -EIO; err = -EIO;
if (!outarg->nodeid) if (!outarg->nodeid)
goto out_put_forget; goto out_put_forget;
if (!fuse_valid_type(outarg->attr.mode)) if (fuse_invalid_attr(&outarg->attr))
goto out_put_forget; goto out_put_forget;
*inode = fuse_iget(sb, outarg->nodeid, outarg->generation, *inode = fuse_iget(sb, outarg->nodeid, outarg->generation,
...@@ -475,7 +482,8 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry, ...@@ -475,7 +482,8 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
goto out_free_ff; goto out_free_ff;
err = -EIO; err = -EIO;
if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid)) if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||
fuse_invalid_attr(&outentry.attr))
goto out_free_ff; goto out_free_ff;
ff->fh = outopen.fh; ff->fh = outopen.fh;
...@@ -583,7 +591,7 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args, ...@@ -583,7 +591,7 @@ static int create_new_entry(struct fuse_conn *fc, struct fuse_args *args,
goto out_put_forget_req; goto out_put_forget_req;
err = -EIO; err = -EIO;
if (invalid_nodeid(outarg.nodeid)) if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))
goto out_put_forget_req; goto out_put_forget_req;
if ((outarg.attr.mode ^ mode) & S_IFMT) if ((outarg.attr.mode ^ mode) & S_IFMT)
...@@ -942,7 +950,8 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat, ...@@ -942,7 +950,8 @@ static int fuse_do_getattr(struct inode *inode, struct kstat *stat,
args.out_args[0].value = &outarg; args.out_args[0].value = &outarg;
err = fuse_simple_request(fc, &args); err = fuse_simple_request(fc, &args);
if (!err) { if (!err) {
if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { if (fuse_invalid_attr(&outarg.attr) ||
(inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
make_bad_inode(inode); make_bad_inode(inode);
err = -EIO; err = -EIO;
} else { } else {
...@@ -1563,7 +1572,8 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr, ...@@ -1563,7 +1572,8 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
goto error; goto error;
} }
if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) { if (fuse_invalid_attr(&outarg.attr) ||
(inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
make_bad_inode(inode); make_bad_inode(inode);
err = -EIO; err = -EIO;
goto error; goto error;
......
...@@ -989,6 +989,8 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc); ...@@ -989,6 +989,8 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc);
*/ */
int fuse_valid_type(int m); int fuse_valid_type(int m);
bool fuse_invalid_attr(struct fuse_attr *attr);
/** /**
* Is current process allowed to perform filesystem operation? * Is current process allowed to perform filesystem operation?
*/ */
......
...@@ -184,7 +184,7 @@ static int fuse_direntplus_link(struct file *file, ...@@ -184,7 +184,7 @@ static int fuse_direntplus_link(struct file *file,
if (invalid_nodeid(o->nodeid)) if (invalid_nodeid(o->nodeid))
return -EIO; return -EIO;
if (!fuse_valid_type(o->attr.mode)) if (fuse_invalid_attr(&o->attr))
return -EIO; return -EIO;
fc = get_fuse_conn(dir); fc = get_fuse_conn(dir);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment