Jan Schmidt <list.btrfs@xxxxxxxxxxxxx> writes:
> +
> +static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
> + void __user *arg)
> +{
> + int ret = 0;
> + int size;
> + u64 extent_offset;
> + struct btrfs_ioctl_logical_ino_args *loi;
> + struct btrfs_data_container *inodes = NULL;
> + struct btrfs_path *path = NULL;
> + struct btrfs_key key;
This really needs to be root-only for obvious reasons.
The same for the ino_path function
> +
> + loi = memdup_user(arg, sizeof(*loi));
> + if (IS_ERR(loi)) {
> + ret = PTR_ERR(loi);
> + loi = NULL;
> + goto out;
> + }
> +
> + path = btrfs_alloc_path();
> + if (!path) {
> + ret = -ENOMEM;
> + goto out;
> + }
> +
> + size = min(loi->size, 4096);
This is likely a root hole. loi->size is signed! Consider the case
of a negative value being passed in.
Same for the earlier function.
-Andi
--
ak@xxxxxxxxxxxxxxx -- Speaking for myself only
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
