Commit 691115c3 authored Sep 07, 2018 by Eric Biggers Committed by Mimi Zohar Oct 10, 2018

vfs: require i_size <= SIZE_MAX in kernel_read_file()



On 32-bit systems, the buffer allocated by kernel_read_file() is too
small if the file size is > SIZE_MAX, due to truncation to size_t.

Fortunately, since the 'count' argument to kernel_read() is also
truncated to size_t, only the allocated space is filled; then, -EIO is
returned since 'pos != i_size' after the read loop.

But this is not obvious and seems incidental.  We should be more
explicit about this case.  So, fail early if i_size > SIZE_MAX.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

parent e6123c52

fs/exec.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -908,14 +908,14 @@ int kernel_read_file(struct file file, void buf, loff_t size,
		goto out;

		i_size = i_size_read(file_inode(file));
		if (max_size > 0 && i_size > max_size) {
		ret = -EFBIG;
		goto out;
		}
		if (i_size <= 0) {
		ret = -EINVAL;
		goto out;
		}
		if (i_size > SIZE_MAX \|\| (max_size > 0 && i_size > max_size)) {
		ret = -EFBIG;
		goto out;
		}

		if (id != READING_FIRMWARE_PREALLOC_BUFFER)
		*buf = vmalloc(i_size);