fibmap: Reject negative block numbers

FIBMAP receives an integer from userspace which is then implicitly converted
into sector_t to be passed to bmap(). No check is made to ensure userspace
didn't send a negative block number, which can end up in an underflow, and
returning to userspace a corrupted block address.

As a side-effect, the underflow caused by a negative block here, will
trigger the WARN() in iomap_bmap_actor(), which is how this issue was
first discovered.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/ioctl.c b/fs/ioctl.c
index 13327862f278f148edf71ca09caff83d356ec1d3..0be9bee9ff8fe824fbc7b3e60bfce9edebe534af 100644 (file)
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
        if (error)
                return error;
 
+       if (ur_block < 0)
+               return -EINVAL;
+
        block = ur_block;
        error = bmap(inode, &block);