2.6.32-longterm review patch. If anyone has any objections, please let us know.
------------------ From: Miklos Szeredi <[email protected]> commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 upstream. Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY doesn't overflow iov_length(). Signed-off-by: Miklos Szeredi <[email protected]> CC: Tejun Heo <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- fs/fuse/file.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1619,6 +1619,20 @@ static int fuse_ioctl_copy_user(struct p return 0; } +/* Make sure iov_length() won't overflow */ +static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count) +{ + size_t n; + u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT; + + for (n = 0; n < count; n++) { + if (iov->iov_len > (size_t) max) + return -ENOMEM; + max -= iov->iov_len; + } + return 0; +} + /* * For ioctls, there is no generic way to determine how much memory * needs to be read and/or written. Furthermore, ioctls are allowed @@ -1812,6 +1826,14 @@ long fuse_do_ioctl(struct file *file, un in_iov = page_address(iov_page); out_iov = in_iov + in_iovs; + err = fuse_verify_ioctl_iov(in_iov, in_iovs); + if (err) + goto out; + + err = fuse_verify_ioctl_iov(out_iov, out_iovs); + if (err) + goto out; + goto retry; } _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
