[002/152] fuse: verify ioctl retries

From: Greg KH
Date: Wed Jan 05 2011 - 20:03:39 EST


2.6.36-stable review patch. If anyone has any objections, please let us know.

------------------

From: Miklos Szeredi <mszeredi@xxxxxxx>

commit 7572777eef78ebdee1ecb7c258c0ef94d35bad16 upstream.

Verify that the total length of the iovec returned in FUSE_IOCTL_RETRY
doesn't overflow iov_length().

Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx>
CC: Tejun Heo <tj@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
fs/fuse/file.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1627,6 +1627,20 @@ static int fuse_ioctl_copy_user(struct p
return 0;
}

+/* Make sure iov_length() won't overflow */
+static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count)
+{
+ size_t n;
+ u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT;
+
+ for (n = 0; n < count; n++) {
+ if (iov->iov_len > (size_t) max)
+ return -ENOMEM;
+ max -= iov->iov_len;
+ }
+ return 0;
+}
+
/*
* For ioctls, there is no generic way to determine how much memory
* needs to be read and/or written. Furthermore, ioctls are allowed
@@ -1820,6 +1834,14 @@ long fuse_do_ioctl(struct file *file, un
in_iov = page_address(iov_page);
out_iov = in_iov + in_iovs;

+ err = fuse_verify_ioctl_iov(in_iov, in_iovs);
+ if (err)
+ goto out;
+
+ err = fuse_verify_ioctl_iov(out_iov, out_iovs);
+ if (err)
+ goto out;
+
goto retry;
}



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/