From: Carlos Maiolino <cmaiolino@redhat.com>
Date: Thu, 9 Jan 2020 13:30:45 +0000 (+0100)
Subject: fibmap: Reject negative block numbers
X-Git-Tag: v5.6-rc1~23^2~1
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=324282c0252a44a97d628813e30ea7258940d469;p=linux.git

fibmap: Reject negative block numbers

FIBMAP receives an integer from userspace which is then implicitly converted
into sector_t to be passed to bmap(). No check is made to ensure userspace
didn't send a negative block number, which can end up in an underflow, and
returning to userspace a corrupted block address.

As a side-effect, the underflow caused by a negative block here, will
trigger the WARN() in iomap_bmap_actor(), which is how this issue was
first discovered.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

diff --git a/fs/ioctl.c b/fs/ioctl.c
index 13327862f278..0be9bee9ff8f 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -65,6 +65,9 @@ static int ioctl_fibmap(struct file *filp, int __user *p)
 	if (error)
 		return error;
 
+	if (ur_block < 0)
+		return -EINVAL;
+
 	block = ur_block;
 	error = bmap(inode, &block);