Re: [PATCH] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
From: Joseph Qi
Date: Thu Oct 10 2024 - 08:22:17 EST
On 10/9/24 11:05 PM, Edward Adam Davis wrote:
> Syzbot reported a kernel BUG in ocfs2_truncate_inline.
> There are two reasons for this: first, the parameter value passed is greater
> than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline
> are "unsigned int".
>
> So, we need to add a sanity check for offset and len in ocfs2_fallocate, if
> they are greater than UINT_MAX return -EFBIG.
fallocate should accept loff_t (aka long long) offset and len.
I guess the reported bug is caused by a crafted image, which set
overflow offset and len in case of inline data (with flag
OCFS2_INLINE_DATA_FL set).
So IMO, the right place to add a sanity check is right before
ocfs2_truncate_inline() in ocfs2_remove_inode_range().
Thanks,
Joseph
>
> Reported-and-tested-by: syzbot+81092778aac03460d6b7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> fs/ocfs2/file.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> index ad131a2fc58e..ed26ec8ac6b6 100644
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -2117,6 +2117,9 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset,
> return ret;
> }
>
> + if (offset > UINT_MAX || offset + len > UINT_MAX)
> + return -EFBIG;
> +
> if (mode & FALLOC_FL_PUNCH_HOLE)
> cmd = OCFS2_IOC_UNRESVSP64;
>