diff options
| author | Miklos Szeredi <mszeredi@redhat.com> | 2025-08-12 14:46:34 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-09-19 16:35:46 +0200 |
| commit | 532b87643f6aa69540c4bb7ecdeb0f9d17991780 (patch) | |
| tree | 1d63cb546ad64dd1a756370fc25bc56919a0752a | |
| parent | b7c40f063ff4432e861a36836a62a91b567c0cf4 (diff) | |
fuse: prevent overflow in copy_file_range return value
commit 1e08938c3694f707bb165535df352ac97a8c75c9 upstream.
The FUSE protocol uses struct fuse_write_out to convey the return value of
copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE
interface supports a 64-bit size copies.
Currently the number of bytes copied is silently truncated to 32-bit, which
may result in poor performance or even failure to copy in case of
truncation to zero.
Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/fuse/file.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 260dcaf35123..49659d1b2932 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -3229,7 +3229,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in, .nodeid_out = ff_out->nodeid, .fh_out = ff_out->fh, .off_out = pos_out, - .len = len, + .len = min_t(size_t, len, UINT_MAX & PAGE_MASK), .flags = flags }; struct fuse_write_out outarg; |