tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ovl: add permission hooks outside of do_splice_direct()

The main callers of do_splice_direct() also call rw_verify_area() for
the entire range that is being copied, e.g. by vfs_copy_file_range()
or do_sendfile() before calling do_splice_direct().

The only caller that does not have those checks for entire range is
ovl_copy_up_file(). In preparation for removing the checks inside
do_splice_direct(), add rw_verify_area() call in ovl_copy_up_file().

For extra safety, perform minimal sanity checks from rw_verify_area()
for non negative offsets also in the copy up do_splice_direct() loop
without calling the file permission hooks.

This is needed for fanotify "pre content" events.

Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/r/20231122122715.2561213-2-amir73il@gmail.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Amir Goldstein and committed by
Christian Brauner ca7ab482 0db1d539

+25 -1
+25 -1
fs/overlayfs/copy_up.c
··· 230 230 return ovl_real_fileattr_set(new, &newfa); 231 231 } 232 232 233 + static int ovl_verify_area(loff_t pos, loff_t pos2, loff_t len, loff_t totlen) 234 + { 235 + loff_t tmp; 236 + 237 + if (WARN_ON_ONCE(pos != pos2)) 238 + return -EIO; 239 + if (WARN_ON_ONCE(pos < 0 || len < 0 || totlen < 0)) 240 + return -EIO; 241 + if (WARN_ON_ONCE(check_add_overflow(pos, len, &tmp))) 242 + return -EIO; 243 + return 0; 244 + } 245 + 233 246 static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry, 234 247 struct file *new_file, loff_t len) 235 248 { ··· 257 244 int error = 0; 258 245 259 246 ovl_path_lowerdata(dentry, &datapath); 260 - if (WARN_ON(datapath.dentry == NULL)) 247 + if (WARN_ON_ONCE(datapath.dentry == NULL) || 248 + WARN_ON_ONCE(len < 0)) 261 249 return -EIO; 262 250 263 251 old_file = ovl_path_open(&datapath, O_LARGEFILE | O_RDONLY); 264 252 if (IS_ERR(old_file)) 265 253 return PTR_ERR(old_file); 254 + 255 + error = rw_verify_area(READ, old_file, &old_pos, len); 256 + if (!error) 257 + error = rw_verify_area(WRITE, new_file, &new_pos, len); 258 + if (error) 259 + goto out_fput; 266 260 267 261 /* Try to use clone_file_range to clone up within the same fs */ 268 262 ovl_start_write(dentry); ··· 328 308 skip_hole = false; 329 309 } 330 310 } 311 + 312 + error = ovl_verify_area(old_pos, new_pos, this_len, len); 313 + if (error) 314 + break; 331 315 332 316 ovl_start_write(dentry); 333 317 bytes = do_splice_direct(old_file, &old_pos,