Commit 54ebd401 authored Dec 25, 2024 by Baokun Li

cachefiles: disallow to complete open requests with uninitialised ondemand_id

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB5UKT



--------------------------------

The ondemand_id must have been initialised before the open request was
copied to the userland. Therefore, if ondemand_id is 0 at the time of
copen, this is a malicious injected command, so -EINVAL is returned.

Signed-off-by: Baokun Li <libaokun1@huawei.com>

parent 3f4c6f73

fs/cachefiles/ondemand.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -181,7 +181,8 @@ int cachefiles_ondemand_copen(struct cachefiles_cache cache, char args)

		xa_lock(&cache->reqs);
		req = radix_tree_lookup(&cache->reqs, id);
		if (!req \|\| req->msg.opcode != CACHEFILES_OP_OPEN) {
		if (!req \|\| req->msg.opcode != CACHEFILES_OP_OPEN \|\|
		!req->object->private->ondemand_id) {
		xa_unlock(&cache->reqs);
		return -EINVAL;
		}