tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fuse: prevent overflow in copy_file_range return value

The FUSE protocol uses struct fuse_write_out to convey the return value of
copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE
interface supports a 64-bit size copies.

Currently the number of bytes copied is silently truncated to 32-bit, which
may result in poor performance or even failure to copy in case of
truncation to zero.

Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Miklos Szeredi 1e08938c e5203209

+1 -1
+1 -1
fs/fuse/file.c
··· 2960 2960 .nodeid_out = ff_out->nodeid, 2961 2961 .fh_out = ff_out->fh, 2962 2962 .off_out = pos_out, 2963 - .len = len, 2963 + .len = min_t(size_t, len, UINT_MAX & PAGE_MASK), 2964 2964 .flags = flags 2965 2965 }; 2966 2966 struct fuse_write_out outarg;