On Fri 27-06-25 12:48:35, Amir Goldstein wrote:
> Unlike file_handle, type and len of struct fanotify_fh are u8.
> Traditionally, filesystem return handle_type < 0xff, but there
> is no enforecement for that in vfs.
>
> Add a sanity check in fanotify to avoid truncating handle_type
> if its value is > 0xff.
>
> Fixes: 7cdafe6cc4a6 ("exportfs: check for error return value from exportfs_encode_*()")
> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
Thanks. Added to my tree.
Honza
> ---
>
> Jan,
>
> This cleanup is a followup to the review of FILEID_PIDFS.
> The Fixes commit is a bit misleading because there is no bug in the
> Fixes commit, it's a just a fix-it-better statement, which is
> practical for stable backporting.
>
> Thanks,
> Amir.
>
> fs/notify/fanotify/fanotify.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> index 3083643b864b..bfe884d624e7 100644
> --- a/fs/notify/fanotify/fanotify.c
> +++ b/fs/notify/fanotify/fanotify.c
> @@ -454,7 +454,13 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode,
> dwords = fh_len >> 2;
> type = exportfs_encode_fid(inode, buf, &dwords);
> err = -EINVAL;
> - if (type <= 0 || type == FILEID_INVALID || fh_len != dwords << 2)
> + /*
> + * Unlike file_handle, type and len of struct fanotify_fh are u8.
> + * Traditionally, filesystem return handle_type < 0xff, but there
> + * is no enforecement for that in vfs.
> + */
> + BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff || FILEID_INVALID > 0xff);
> + if (type <= 0 || type >= FILEID_INVALID || fh_len != dwords << 2)
> goto out_err;
>
> fh->type = type;
> --
> 2.43.0
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
