|
|
@@ -14,6 +14,7 @@
|
|
|
#include <linux/security.h>
|
|
|
#include <linux/module.h>
|
|
|
#include <linux/syscalls.h>
|
|
|
+#include <linux/pagemap.h>
|
|
|
|
|
|
#include <asm/uaccess.h>
|
|
|
#include <asm/unistd.h>
|
|
|
@@ -182,22 +183,33 @@ bad:
|
|
|
}
|
|
|
#endif
|
|
|
|
|
|
+/*
|
|
|
+ * rw_verify_area doesn't like huge counts. We limit
|
|
|
+ * them to something that fits in "int" so that others
|
|
|
+ * won't have to do range checks all the time.
|
|
|
+ */
|
|
|
+#define MAX_RW_COUNT (INT_MAX & PAGE_CACHE_MASK)
|
|
|
|
|
|
int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count)
|
|
|
{
|
|
|
struct inode *inode;
|
|
|
loff_t pos;
|
|
|
|
|
|
- if (unlikely(count > INT_MAX))
|
|
|
+ if (unlikely((ssize_t) count < 0))
|
|
|
goto Einval;
|
|
|
pos = *ppos;
|
|
|
if (unlikely((pos < 0) || (loff_t) (pos + count) < 0))
|
|
|
goto Einval;
|
|
|
|
|
|
inode = file->f_dentry->d_inode;
|
|
|
- if (inode->i_flock && MANDATORY_LOCK(inode))
|
|
|
- return locks_mandatory_area(read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE, inode, file, pos, count);
|
|
|
- return 0;
|
|
|
+ if (inode->i_flock && MANDATORY_LOCK(inode)) {
|
|
|
+ int retval = locks_mandatory_area(
|
|
|
+ read_write == READ ? FLOCK_VERIFY_READ : FLOCK_VERIFY_WRITE,
|
|
|
+ inode, file, pos, count);
|
|
|
+ if (retval < 0)
|
|
|
+ return retval;
|
|
|
+ }
|
|
|
+ return count > MAX_RW_COUNT ? MAX_RW_COUNT : count;
|
|
|
|
|
|
Einval:
|
|
|
return -EINVAL;
|
|
|
@@ -244,7 +256,8 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
|
|
|
return -EFAULT;
|
|
|
|
|
|
ret = rw_verify_area(READ, file, pos, count);
|
|
|
- if (!ret) {
|
|
|
+ if (ret >= 0) {
|
|
|
+ count = ret;
|
|
|
ret = security_file_permission (file, MAY_READ);
|
|
|
if (!ret) {
|
|
|
if (file->f_op->read)
|
|
|
@@ -295,7 +308,8 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
|
|
|
return -EFAULT;
|
|
|
|
|
|
ret = rw_verify_area(WRITE, file, pos, count);
|
|
|
- if (!ret) {
|
|
|
+ if (ret >= 0) {
|
|
|
+ count = ret;
|
|
|
ret = security_file_permission (file, MAY_WRITE);
|
|
|
if (!ret) {
|
|
|
if (file->f_op->write)
|
|
|
@@ -497,7 +511,7 @@ static ssize_t do_readv_writev(int type, struct file *file,
|
|
|
}
|
|
|
|
|
|
ret = rw_verify_area(type, file, pos, tot_len);
|
|
|
- if (ret)
|
|
|
+ if (ret < 0)
|
|
|
goto out;
|
|
|
ret = security_file_permission(file, type == READ ? MAY_READ : MAY_WRITE);
|
|
|
if (ret)
|
|
|
@@ -653,8 +667,9 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
|
|
|
if (!(in_file->f_mode & FMODE_PREAD))
|
|
|
goto fput_in;
|
|
|
retval = rw_verify_area(READ, in_file, ppos, count);
|
|
|
- if (retval)
|
|
|
+ if (retval < 0)
|
|
|
goto fput_in;
|
|
|
+ count = retval;
|
|
|
|
|
|
retval = security_file_permission (in_file, MAY_READ);
|
|
|
if (retval)
|
|
|
@@ -674,8 +689,9 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
|
|
|
goto fput_out;
|
|
|
out_inode = out_file->f_dentry->d_inode;
|
|
|
retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
|
|
|
- if (retval)
|
|
|
+ if (retval < 0)
|
|
|
goto fput_out;
|
|
|
+ count = retval;
|
|
|
|
|
|
retval = security_file_permission (out_file, MAY_WRITE);
|
|
|
if (retval)
|
Linus Torvalds