diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2025-08-12 15:46:34 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-09-19 17:32:04 +0300 |
| commit | 8577ded2ee3dbc21df99830dd9726dd6ec0054a7 (patch) | |
| tree | 7f7d752dbe20b1d34668cf7e304ccbeb09740bb3 /fs/fuse/file.c | |
| parent | 01e1eba64860d6ae502b2d3ff0f83843991f86ef (diff) | |
| download | linux-8577ded2ee3dbc21df99830dd9726dd6ec0054a7.tar.xz | |
fuse: prevent overflow in copy_file_range return value
commit 1e08938c3694f707bb165535df352ac97a8c75c9 upstream.
The FUSE protocol uses struct fuse_write_out to convey the return value of
copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE
interface supports a 64-bit size copies.
Currently the number of bytes copied is silently truncated to 32-bit, which
may result in poor performance or even failure to copy in case of
truncation to zero.
Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/fuse/file.c')
| -rw-r--r-- | fs/fuse/file.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 1a0f07710a2b..952c99fcb636 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -3106,7 +3106,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in, .nodeid_out = ff_out->nodeid, .fh_out = ff_out->fh, .off_out = pos_out, - .len = len, + .len = min_t(size_t, len, UINT_MAX & PAGE_MASK), .flags = flags }; struct fuse_write_out outarg; |