Skip to content

Commit 6ed6356

Browse files
Dan CarpenterDarrick J. Wong
authored andcommitted
xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()
The "bufsize" comes from the root user. If "bufsize" is negative then, because of type promotion, neither of the validation checks at the start of the function are able to catch it: if (bufsize < sizeof(struct xfs_attrlist) || bufsize > XFS_XATTR_LIST_MAX) return -EINVAL; This means "bufsize" will trigger (WARN_ON_ONCE(size > INT_MAX)) in kvmalloc_node(). Fix this by changing the type from int to size_t. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Darrick J. Wong <djwong@kernel.org>
1 parent 132c460 commit 6ed6356

File tree

2 files changed

+4
-3
lines changed

2 files changed

+4
-3
lines changed

fs/xfs/xfs_ioctl.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -372,7 +372,7 @@ int
372372
xfs_ioc_attr_list(
373373
struct xfs_inode *dp,
374374
void __user *ubuf,
375-
int bufsize,
375+
size_t bufsize,
376376
int flags,
377377
struct xfs_attrlist_cursor __user *ucursor)
378378
{

fs/xfs/xfs_ioctl.h

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,9 @@ xfs_readlink_by_handle(
3838
int xfs_ioc_attrmulti_one(struct file *parfilp, struct inode *inode,
3939
uint32_t opcode, void __user *uname, void __user *value,
4040
uint32_t *len, uint32_t flags);
41-
int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf, int bufsize,
42-
int flags, struct xfs_attrlist_cursor __user *ucursor);
41+
int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf,
42+
size_t bufsize, int flags,
43+
struct xfs_attrlist_cursor __user *ucursor);
4344

4445
extern struct dentry *
4546
xfs_handle_to_dentry(

0 commit comments

Comments
 (0)