Re: [PATCH v2] fuse: avoid 32-bit prune notification count wrap

Next message: Philipp Stanner: "[PATCH] drm/nouveau: Document weird looking bugfix"
Previous message: Aleksa Paunovic via B4 Relay: "[PATCH v8 3/3] riscv: clocksource: Add p8700-gcru driver"
In reply to: Joanne Koong: "Re: [PATCH v2] fuse: avoid 32-bit prune notification count wrap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miklos Szeredi

Date: Wed Jun 10 2026 - 04:31:23 EST

On Wed, 10 Jun 2026 at 02:38, Samuel Moelius
<sam.moelius@xxxxxxxxxxxxxxx> wrote:
>
> FUSE_NOTIFY_PRUNE validates the nodeid payload length with:
>
> size - sizeof(outarg) != outarg.count * sizeof(u64)
>
> On 32-bit kernels, size_t is also 32 bits, so the daemon-controlled
> count multiplication can wrap. A prune notification with count
> 0x20000000 and no nodeid payload passes the check, enters the copy
> loop, and asks the device copy path to read nodeids that are not
> present in the userspace write buffer. In QEMU this reaches the
> fuse_copy_fill() BUG_ON(!err) path.
>
> Validate the payload length with array_size() instead. That accepts
> exactly the same valid messages, but avoids wrapping arithmetic before
> the copy loop consumes the count.
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Fixes: 3f29d59e92a9 ("fuse: add prune notification")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Samuel Moelius <sam.moelius@xxxxxxxxxxxxxxx>

Applied, thanks.

Miklos