diff options
| author | Samuel Moelius <sam.moelius@trailofbits.com> | 2026-06-10 03:37:18 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-06-15 15:06:14 +0300 |
| commit | 54243797cedf55447b4c5d560e8cd709900061ae (patch) | |
| tree | 0c079712a4f11612b689ee3c4155faaed33894c7 /include/linux | |
| parent | 1c57a69be962d459c5e705f5cb4355b841b3461c (diff) | |
| download | linux-54243797cedf55447b4c5d560e8cd709900061ae.tar.xz | |
fuse: avoid 32-bit prune notification count wrap
FUSE_NOTIFY_PRUNE validates the nodeid payload length with:
size - sizeof(outarg) != outarg.count * sizeof(u64)
On 32-bit kernels, size_t is also 32 bits, so the daemon-controlled
count multiplication can wrap. A prune notification with count
0x20000000 and no nodeid payload passes the check, enters the copy
loop, and asks the device copy path to read nodeids that are not
present in the userspace write buffer. In QEMU this reaches the
fuse_copy_fill() BUG_ON(!err) path.
Validate the payload length with array_size() instead. That accepts
exactly the same valid messages, but avoids wrapping arithmetic before
the copy loop consumes the count.
Assisted-by: Codex:gpt-5.5-cyber-preview
Fixes: 3f29d59e92a9 ("fuse: add prune notification")
Cc: stable@vger.kernel.org
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions
