Commit ca7ab482 authored by Amir Goldstein's avatar Amir Goldstein Committed by Christian Brauner

ovl: add permission hooks outside of do_splice_direct()

The main callers of do_splice_direct() also call rw_verify_area() for
the entire range that is being copied, e.g. by vfs_copy_file_range()
or do_sendfile() before calling do_splice_direct().

The only caller that does not have those checks for entire range is
ovl_copy_up_file().  In preparation for removing the checks inside
do_splice_direct(), add rw_verify_area() call in ovl_copy_up_file().

For extra safety, perform minimal sanity checks from rw_verify_area()
for non negative offsets also in the copy up do_splice_direct() loop
without calling the file permission hooks.

This is needed for fanotify "pre content" events.
Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/r/20231122122715.2561213-2-amir73il@gmail.comReviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 0db1d539
...@@ -230,6 +230,19 @@ static int ovl_copy_fileattr(struct inode *inode, const struct path *old, ...@@ -230,6 +230,19 @@ static int ovl_copy_fileattr(struct inode *inode, const struct path *old,
return ovl_real_fileattr_set(new, &newfa); return ovl_real_fileattr_set(new, &newfa);
} }
static int ovl_verify_area(loff_t pos, loff_t pos2, loff_t len, loff_t totlen)
{
loff_t tmp;
if (WARN_ON_ONCE(pos != pos2))
return -EIO;
if (WARN_ON_ONCE(pos < 0 || len < 0 || totlen < 0))
return -EIO;
if (WARN_ON_ONCE(check_add_overflow(pos, len, &tmp)))
return -EIO;
return 0;
}
static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry, static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry,
struct file *new_file, loff_t len) struct file *new_file, loff_t len)
{ {
...@@ -244,13 +257,20 @@ static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry, ...@@ -244,13 +257,20 @@ static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry,
int error = 0; int error = 0;
ovl_path_lowerdata(dentry, &datapath); ovl_path_lowerdata(dentry, &datapath);
if (WARN_ON(datapath.dentry == NULL)) if (WARN_ON_ONCE(datapath.dentry == NULL) ||
WARN_ON_ONCE(len < 0))
return -EIO; return -EIO;
old_file = ovl_path_open(&datapath, O_LARGEFILE | O_RDONLY); old_file = ovl_path_open(&datapath, O_LARGEFILE | O_RDONLY);
if (IS_ERR(old_file)) if (IS_ERR(old_file))
return PTR_ERR(old_file); return PTR_ERR(old_file);
error = rw_verify_area(READ, old_file, &old_pos, len);
if (!error)
error = rw_verify_area(WRITE, new_file, &new_pos, len);
if (error)
goto out_fput;
/* Try to use clone_file_range to clone up within the same fs */ /* Try to use clone_file_range to clone up within the same fs */
ovl_start_write(dentry); ovl_start_write(dentry);
cloned = do_clone_file_range(old_file, 0, new_file, 0, len, 0); cloned = do_clone_file_range(old_file, 0, new_file, 0, len, 0);
...@@ -309,6 +329,10 @@ static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry, ...@@ -309,6 +329,10 @@ static int ovl_copy_up_file(struct ovl_fs *ofs, struct dentry *dentry,
} }
} }
error = ovl_verify_area(old_pos, new_pos, this_len, len);
if (error)
break;
ovl_start_write(dentry); ovl_start_write(dentry);
bytes = do_splice_direct(old_file, &old_pos, bytes = do_splice_direct(old_file, &old_pos,
new_file, &new_pos, new_file, &new_pos,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment