Skip to content
Snippets Groups Projects
Commit 9f909c11 authored by Chirantan Ekbote's avatar Chirantan Ekbote Committed by Yang Yingliang
Browse files

fuse: Fix parameter for FS_IOC_{GET, SET}FLAGS

stable inclusion
from linux-4.19.134
commit d61cd1dcab2c675704eb4eb55d4392d25e55293a

--------------------------------

commit 31070f6c upstream.

The ioctl encoding for this parameter is a long but the documentation says
it should be an int and the kernel drivers expect it to be an int.  If the
fuse driver treats this as a long it might end up scribbling over the stack
of a userspace process that only allocated enough space for an int.

This was previously discussed in [1] and a patch for fuse was proposed in
[2].  From what I can tell the patch in [2] was nacked in favor of adding
new, "fixed" ioctls and using those from userspace.  However there is still
no "fixed" version of these ioctls and the fact is that it's sometimes
infeasible to change all userspace to use the new one.

Handling the ioctls specially in the fuse driver seems like the most
pragmatic way for fuse servers to support them without causing crashes in
userspace applications that call them.

[1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/
[2]: https://sourceforge.net/p/fuse/mailman/message/31771759/



Signed-off-by: default avatarChirantan Ekbote <chirantan@chromium.org>
Fixes: 59efec7b ("fuse: implement ioctl support")
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent 93486a5c
No related branches found
No related tags found
No related merge requests found
......@@ -18,6 +18,7 @@
#include <linux/swap.h>
#include <linux/falloc.h>
#include <linux/uio.h>
#include <linux/fs.h>
static const struct file_operations fuse_direct_io_file_operations;
......@@ -2535,7 +2536,16 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
struct iovec *iov = iov_page;
iov->iov_base = (void __user *)arg;
iov->iov_len = _IOC_SIZE(cmd);
switch (cmd) {
case FS_IOC_GETFLAGS:
case FS_IOC_SETFLAGS:
iov->iov_len = sizeof(int);
break;
default:
iov->iov_len = _IOC_SIZE(cmd);
break;
}
if (_IOC_DIR(cmd) & _IOC_WRITE) {
in_iov = iov;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment