From 51eecfe82d24998bb2bef98df59adbbfdcd195e0 Mon Sep 17 00:00:00 2001 From: Trond Myklebust Date: Mon, 2 Dec 2024 20:54:42 +0800 Subject: [PATCH] filemap: Fix bounds checking in filemap_read() stable inclusion from stable-v6.6.61 commit a2746ab3bbc9c6408da5cd072653ec8c24749235 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AUF CVE: CVE-2024-50272 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a2746ab3bbc9c6408da5cd072653ec8c24749235 -------------------------------- commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream. If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop. This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts. Reported-by: Mike Snitzer Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") Tested-by: Mike Snitzer Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Conflicts: mm/filemap.c [Context conflicts.] Signed-off-by: Jinjiang Tu --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/filemap.c b/mm/filemap.c index b48ec6fc8f4b..c8863a76d531 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2554,7 +2554,7 @@ ssize_t generic_file_buffered_read(struct kiocb *iocb, if (unlikely(!iov_iter_count(iter))) return 0; - iov_iter_truncate(iter, inode->i_sb->s_maxbytes); + iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); if (nr_pages > ARRAY_SIZE(pages_onstack)) pages = kmalloc_array(nr_pages, sizeof(void *), GFP_KERNEL); -- Gitee