On 21.07.2011 22:14, Andi Kleen wrote:
> Jan Schmidt <list.btrfs@xxxxxxxxxxxxx> writes:
>> +
>> +static long btrfs_ioctl_logical_to_ino(struct btrfs_root *root,
>> + void __user *arg)
>> +{
>> + int ret = 0;
>> + int size;
>> + u64 extent_offset;
>> + struct btrfs_ioctl_logical_ino_args *loi;
>> + struct btrfs_data_container *inodes = NULL;
>> + struct btrfs_path *path = NULL;
>> + struct btrfs_key key;
>
> This really needs to be root-only for obvious reasons.
> The same for the ino_path function
>
>> +
>> + loi = memdup_user(arg, sizeof(*loi));
>> + if (IS_ERR(loi)) {
>> + ret = PTR_ERR(loi);
>> + loi = NULL;
>> + goto out;
>> + }
>> +
>> + path = btrfs_alloc_path();
>> + if (!path) {
>> + ret = -ENOMEM;
>> + goto out;
>> + }
>> +
>> + size = min(loi->size, 4096);
>
> This is likely a root hole. loi->size is signed! Consider the case
> of a negative value being passed in.
>
> Same for the earlier function.
Sigh. Thanks for pointing these out. Shouldn't release code that was
fine for development without carefully reconsidering such things. I'll
send a v6.
-Jan
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
