From 12e4a381c5cefa4bf54547cb51d98241a54e29f3 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" Date: Sun, 23 Apr 2017 10:45:21 -0700 Subject: xfs: fix getfsmap userspace memory corruption while setting OF_LAST At the end of a getfsmap call, we will set FMR_OF_LAST in the last struct fsmap that was handed in by userspace if we've truly run out of space mapping record (as opposed to simply running out of space in the user array). Unfortunately, fmh_entries is the wrong check for whether or not we've filled out anything in the user array because the ioctl provides that fmh_count==0 sets fmh_entries without filling out the user array. Therefore we end up writing things into user memory areas that we weren't given, and kaboom. Since Christoph amended the getfsmap structure to track the number of fsmap entries we've actually filled out, use that as part of deciding if we have to set the OF_LAST flag. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig --- fs/xfs/xfs_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fs/xfs') diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index eee8b0f22d75..6190697603c9 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1674,7 +1674,7 @@ xfs_ioc_getfsmap( return error; /* If we didn't abort, set the "last" flag in the last fmx */ - if (!aborted && xhead.fmh_entries) { + if (!aborted && info.idx) { info.last_flags |= FMR_OF_LAST; if (copy_to_user(&info.data->fmh_recs[info.idx - 1].fmr_flags, &info.last_flags, sizeof(info.last_flags))) -- cgit