From: David Howells <dhowells@redhat.com>
Date: Tue, 23 Aug 2022 14:07:55 +0100
Subject: [PATCH] smb3: fix temporary data corruption in insert range
Git-commit: 9c8b7a293f50253e694f19161c045817a938e551
References: bsc#1190317 CVE-2022-48667 bsc#1223518
Patch-mainline: v6.0-rc4
insert range doesn't discard the affected cached region
so can risk temporarily corrupting file data.
Also includes some minor cleanup (avoiding rereading
inode size repeatedly unnecessarily) to make it clearer.
Cc: stable@vger.kernel.org
Fixes: 7fe6fe95b936 ("cifs: add FALLOC_FL_INSERT_RANGE support")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Enzo Matsumiya <ematsumiya@suse.de>
---
fs/cifs/smb2ops.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3751,17 +3751,21 @@ static long smb3_insert_range(struct fil
unsigned int xid;
struct cifsFileInfo *cfile = file->private_data;
__le64 eof;
- __u64 count;
+ __u64 count, old_eof;
xid = get_xid();
- if (off >= i_size_read(file->f_inode)) {
+ inode_lock(file->f_inode);
+
+ old_eof = i_size_read(file->f_inode);
+
+ if (off >= old_eof) {
rc = -EINVAL;
goto out;
}
- count = i_size_read(file->f_inode) - off;
- eof = cpu_to_le64(i_size_read(file->f_inode) + len);
+ count = old_eof - off;
+ eof = cpu_to_le64(old_eof + len);
rc = SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid,
cfile->fid.volatile_fid, cfile->pid, &eof);
@@ -3778,6 +3782,7 @@ static long smb3_insert_range(struct fil
rc = 0;
out:
+ inode_unlock(file->f_inode);
free_xid(xid);
return rc;
}