fuse: prevent overflow in copy_file_range return value
commit1e08938c36upstream. The FUSE protocol uses struct fuse_write_out to convey the return value of copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE interface supports a 64-bit size copies. Currently the number of bytes copied is silently truncated to 32-bit, which may result in poor performance or even failure to copy in case of truncation to zero. Reported-by: Florian Weimer <fweimer@redhat.com> Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/ Fixes:88bc7d5097("fuse: add support for copy_file_range()") Cc: <stable@vger.kernel.org> # v4.20 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Miklos Szeredi
Greg Kroah-Hartman
parent
b7c40f063f
commit
532b87643f
|
|
@ -3229,7 +3229,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
|
||||||
.nodeid_out = ff_out->nodeid,
|
.nodeid_out = ff_out->nodeid,
|
||||||
.fh_out = ff_out->fh,
|
.fh_out = ff_out->fh,
|
||||||
.off_out = pos_out,
|
.off_out = pos_out,
|
||||||
.len = len,
|
.len = min_t(size_t, len, UINT_MAX & PAGE_MASK),
|
||||||
.flags = flags
|
.flags = flags
|
||||||
};
|
};
|
||||||
struct fuse_write_out outarg;
|
struct fuse_write_out outarg;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue