summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorSamuel Moelius <sam.moelius@trailofbits.com>2026-06-10 03:37:18 +0300
committerMiklos Szeredi <mszeredi@redhat.com>2026-06-15 15:06:14 +0300
commit54243797cedf55447b4c5d560e8cd709900061ae (patch)
tree0c079712a4f11612b689ee3c4155faaed33894c7 /include/linux
parent1c57a69be962d459c5e705f5cb4355b841b3461c (diff)
downloadlinux-54243797cedf55447b4c5d560e8cd709900061ae.tar.xz
fuse: avoid 32-bit prune notification count wrap
FUSE_NOTIFY_PRUNE validates the nodeid payload length with: size - sizeof(outarg) != outarg.count * sizeof(u64) On 32-bit kernels, size_t is also 32 bits, so the daemon-controlled count multiplication can wrap. A prune notification with count 0x20000000 and no nodeid payload passes the check, enters the copy loop, and asks the device copy path to read nodeids that are not present in the userspace write buffer. In QEMU this reaches the fuse_copy_fill() BUG_ON(!err) path. Validate the payload length with array_size() instead. That accepts exactly the same valid messages, but avoids wrapping arithmetic before the copy loop consumes the count. Assisted-by: Codex:gpt-5.5-cyber-preview Fixes: 3f29d59e92a9 ("fuse: add prune notification") Cc: stable@vger.kernel.org Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions