Re: [PATCH v5 8/8] btrfs: new ioctls to do logical->inode and inode->path resolving

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21.07.2011 22:14, Andi Kleen wrote:
> Jan Schmidt <list.btrfs@xxxxxxxxxxxxx> writes:
>> +
>> +static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
>> +					void __user *arg)
>> +{
>> +	int ret = 0;
>> +	int size;
>> +	u64 extent_offset;
>> +	struct btrfs_ioctl_logical_ino_args *loi;
>> +	struct btrfs_data_container *inodes = NULL;
>> +	struct btrfs_path *path = NULL;
>> +	struct btrfs_key key;
> 
> This really needs to be root-only for obvious reasons.
> The same for the ino_path function
> 
>> +
>> +	loi = memdup_user(arg, sizeof(*loi));
>> +	if (IS_ERR(loi)) {
>> +		ret = PTR_ERR(loi);
>> +		loi = NULL;
>> +		goto out;
>> +	}
>> +
>> +	path = btrfs_alloc_path();
>> +	if (!path) {
>> +		ret = -ENOMEM;
>> +		goto out;
>> +	}
>> +
>> +	size = min(loi->size, 4096);
> 
> This is likely a root hole. loi->size is signed! Consider the case
> of a negative value being passed in.
> 
> Same for the earlier function.

Sigh. Thanks for pointing these out. Shouldn't release code that was
fine for development without carefully reconsidering such things. I'll
send a v6.

-Jan
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux