ftruncate: pass a signed offset
stable inclusion from stable-v4.19.316 commit c329760749b5419769e57cb2be80955d2805f9c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOW CVE: CVE-2024-42084 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=tags/v4.19.317&id=c329760749b5419769e57cb2be80955d2805f9c9 -------------------------------- commit 4b8e88e563b5f666446d002ad0dc1e6e8e7102b0 upstream. The old ftruncate() syscall, using the 32-bit off_t misses a sign extension when called in compat mode on 64-bit architectures. As a result, passing a negative length accidentally succeeds in truncating to file size between 2GiB and 4GiB. Changing the type of the compat syscall to the signed compat_off_t changes the behavior so it instead returns -EINVAL. The native entry point, the truncate() syscall and the corresponding loff_t based variants are all correct already and do not suffer from this mistake. Fixes: 3f6d078d ("fix compat truncate/ftruncate") Reviewed-by:Christian Brauner <brauner@kernel.org> Cc: stable@vger.kernel.org Signed-off-by:
Loading
Please sign in to comment