diff mbox series

cifs: fix signed integer overflow when fl_end is OFFSET_MAX

Message ID CAH2r5mswfhBnBxkPm=e-RnrWnYiLL=6BavH92krQ+D-XqvrEhA@mail.gmail.com
State New
Headers show
Series cifs: fix signed integer overflow when fl_end is OFFSET_MAX | expand

Commit Message

Steve French Aug. 10, 2021, 11:10 p.m. UTC 
How about the following minor change to the recent patch from Paulo -
handling the case where we are doing a whole file lock (BSD lock,
flock) - in which case the original patch would send length of 0 (but
we went to send a byte range lock of the whole file)?

+static inline u64 cifs_flock_len(struct file_lock *fl)
+{
+ return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start:
fl->fl_end - fl->fl_start + 1;
+}

instead of Paulo's original patch

+static inline u64 cifs_flock_len(struct file_lock *fl)
+{
+ return fl->fl_end == OFFSET_MAX ? 0: fl->fl_end - fl->fl_start + 1;
+}

Comments

Steve French Aug. 12, 2021, 4:05 a.m. UTC | #1 
Added one more minor change to this patch to fix the similar signed
integer overflow error in unlock_range

diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index c9d8a50062b8..7932354bf90c 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -111,7 +111,7 @@ smb2_unlock_range(struct cifsFileInfo *cfile,
struct file_lock *flock,
        struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
        struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry));
        struct cifsLockInfo *li, *tmp;
-       __u64 length = 1 + flock->fl_end - flock->fl_start;
+       __u64 length = cifs_flock_len(flock);
        struct list_head tmp_llist;

        INIT_LIST_HEAD(&tmp_llist);

also fixed the missing space after the colon in the newly added inline function

+static inline u64 cifs_flock_len(struct file_lock *fl)
+{
+       return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start :
fl->fl_end - fl->fl_start + 1;
+}
+

On Tue, Aug 10, 2021 at 6:10 PM Steve French <smfrench@gmail.com> wrote:
>
> How about the following minor change to the recent patch from Paulo -
> handling the case where we are doing a whole file lock (BSD lock,
> flock) - in which case the original patch would send length of 0 (but
> we went to send a byte range lock of the whole file)?
>
> +static inline u64 cifs_flock_len(struct file_lock *fl)
> +{
> + return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start:
> fl->fl_end - fl->fl_start + 1;
> +}
>
> instead of Paulo's original patch
>
> +static inline u64 cifs_flock_len(struct file_lock *fl)
> +{
> + return fl->fl_end == OFFSET_MAX ? 0: fl->fl_end - fl->fl_start + 1;
> +}
>
>
> --
> Thanks,
>
> Steve
diff mbox series

Patch

From 57bbe088e3c98d05f1341adaf480c6d91a574a4e Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@cjr.nz>
Date: Tue, 10 Aug 2021 13:10:44 -0300
Subject: [PATCH 1/2] cifs: fix signed integer overflow when fl_end is
 OFFSET_MAX

This fixes the following when running xfstests generic/504:

[  134.394698] CIFS: Attempting to mount \\win16.vm.test\Share
[  134.420905] CIFS: VFS: generate_smb3signingkey: dumping generated
AES session keys
[  134.420911] CIFS: VFS: Session Id    05 00 00 00 00 c4 00 00
[  134.420914] CIFS: VFS: Cipher type   1
[  134.420917] CIFS: VFS: Session Key   ea 0b d9 22 2e af 01 69 30 1b
15 74 bf 87 41 11
[  134.420920] CIFS: VFS: Signing Key   59 28 43 5c f0 b6 b1 6f f5 7b
65 f2 9f 9e 58 7d
[  134.420923] CIFS: VFS: ServerIn Key  eb aa 58 c8 95 01 9a f7 91 98
e4 fa bc d8 74 f1
[  134.420926] CIFS: VFS: ServerOut Key 08 5b 21 e5 2e 4e 86 f6 05 c2
58 e0 af 53 83 e7
[  134.771946]
================================================================================
[  134.771953] UBSAN: signed-integer-overflow in fs/cifs/file.c:1706:19
[  134.771957] 9223372036854775807 + 1 cannot be represented in type
'long long int'
[  134.771960] CPU: 4 PID: 2773 Comm: flock Not tainted 5.11.22 #1
[  134.771964] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  134.771966] Call Trace:
[  134.771970]  dump_stack+0x8d/0xb5
[  134.771981]  ubsan_epilogue+0x5/0x50
[  134.771988]  handle_overflow+0xa3/0xb0
[  134.771997]  ? lockdep_hardirqs_on_prepare+0xe8/0x1b0
[  134.772006]  cifs_setlk+0x63c/0x680 [cifs]
[  134.772085]  ? _get_xid+0x5f/0xa0 [cifs]
[  134.772085]  cifs_flock+0x131/0x400 [cifs]
[  134.772085]  __x64_sys_flock+0xfc/0x120
[  134.772085]  do_syscall_64+0x33/0x40
[  134.772085]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  134.772085] RIP: 0033:0x7fea4f83b3fb
[  134.772085] Code: ff 48 8b 15 8f 1a 0d 00 f7 d8 64 89 02 b8 ff ff
ff ff eb da e8 16 0b 02 00 66 0f 1f 44 00 00 f3 0f 1e fa b8 49 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5d 1a 0d 00 f7 d8 64 89
01 48

Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/cifs/cifsglob.h | 5 +++++
 fs/cifs/cifssmb.c  | 3 ++-
 fs/cifs/file.c     | 8 ++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index c0bfc2f01030..f7bdf865f439 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1964,4 +1964,9 @@  static inline bool is_tcon_dfs(struct cifs_tcon *tcon)
 		tcon->share_flags & (SHI1005_FLAGS_DFS | SHI1005_FLAGS_DFS_ROOT);
 }
 
+static inline u64 cifs_flock_len(struct file_lock *fl)
+{
+	return fl->fl_end == OFFSET_MAX ? fl->fl_end - fl->fl_start: fl->fl_end - fl->fl_start + 1;
+}
+
 #endif	/* _CIFS_GLOB_H */
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 65d1a65bfc37..6ab6cf669438 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -2607,7 +2607,8 @@  CIFSSMBPosixLock(const unsigned int xid, struct cifs_tcon *tcon,
 
 			pLockData->fl_start = le64_to_cpu(parm_data->start);
 			pLockData->fl_end = pLockData->fl_start +
-					le64_to_cpu(parm_data->length) - 1;
+				(le64_to_cpu(parm_data->length) ?
+				 le64_to_cpu(parm_data->length) - 1 : 0);
 			pLockData->fl_pid = -le32_to_cpu(parm_data->pid);
 		}
 	}
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 0a72840a88f1..e1cfd50996a0 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1385,7 +1385,7 @@  cifs_push_posix_locks(struct cifsFileInfo *cfile)
 			cifs_dbg(VFS, "Can't push all brlocks!\n");
 			break;
 		}
-		length = 1 + flock->fl_end - flock->fl_start;
+		length = cifs_flock_len(flock);
 		if (flock->fl_type == F_RDLCK || flock->fl_type == F_SHLCK)
 			type = CIFS_RDLCK;
 		else
@@ -1501,7 +1501,7 @@  cifs_getlk(struct file *file, struct file_lock *flock, __u32 type,
 	   bool wait_flag, bool posix_lck, unsigned int xid)
 {
 	int rc = 0;
-	__u64 length = 1 + flock->fl_end - flock->fl_start;
+	__u64 length = cifs_flock_len(flock);
 	struct cifsFileInfo *cfile = (struct cifsFileInfo *)file->private_data;
 	struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
 	struct TCP_Server_Info *server = tcon->ses->server;
@@ -1599,7 +1599,7 @@  cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 	struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
 	struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry));
 	struct cifsLockInfo *li, *tmp;
-	__u64 length = 1 + flock->fl_end - flock->fl_start;
+	__u64 length = cifs_flock_len(flock);
 	struct list_head tmp_llist;
 
 	INIT_LIST_HEAD(&tmp_llist);
@@ -1703,7 +1703,7 @@  cifs_setlk(struct file *file, struct file_lock *flock, __u32 type,
 	   unsigned int xid)
 {
 	int rc = 0;
-	__u64 length = 1 + flock->fl_end - flock->fl_start;
+	__u64 length = cifs_flock_len(flock);
 	struct cifsFileInfo *cfile = (struct cifsFileInfo *)file->private_data;
 	struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
 	struct TCP_Server_Info *server = tcon->ses->server;
-- 
2.30.2