Commit 8631e01c authored Jun 27, 2025 by Amir Goldstein Committed by Jan Kara Jun 27, 2025

fanotify: sanitize handle_type values when reporting fid



Unlike file_handle, type and len of struct fanotify_fh are u8.
Traditionally, filesystem return handle_type < 0xff, but there
is no enforecement for that in vfs.

Add a sanity check in fanotify to avoid truncating handle_type
if its value is > 0xff.

Fixes: 7cdafe6c ("exportfs: check for error return value from exportfs_encode_*()")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250627104835.184495-1-amir73il@gmail.com

parent e5403415

fs/notify/fanotify/fanotify.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -454,7 +454,13 @@ static int fanotify_encode_fh(struct fanotify_fh fh, struct inode inode,
		dwords = fh_len >> 2;
		type = exportfs_encode_fid(inode, buf, &dwords);
		err = -EINVAL;
		if (type <= 0 \|\| type == FILEID_INVALID \|\| fh_len != dwords << 2)
		/*
		* Unlike file_handle, type and len of struct fanotify_fh are u8.
		* Traditionally, filesystem return handle_type < 0xff, but there
		* is no enforecement for that in vfs.
		*/
		BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff \|\| FILEID_INVALID > 0xff);
		if (type <= 0 \|\| type >= FILEID_INVALID \|\| fh_len != dwords << 2)
		goto out_err;

		fh->type = type;