Coverity fixes in fusefs(5)

CID 1404532 fixes a signed vs unsigned comparison error in fuse_vnop_bmap. It could potentially have resulted in VOP_BMAP reporting too many consecutive blocks. CID 1404364 is much worse. It was an array access by an untrusted, user-provided variable. It could potentially have resulted in a malicious file system crashing the kernel or worse. Reported by: Coverity Reviewed by: emaste MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D21466
2019-09-06 19:40:11 +00:00 · 2019-09-06 19:40:11 +00:00 · 3451f7272d
commit 3451f7272d
parent 36fc273e60
2 changed files with 4 additions and 1 deletions
--- a/sys/fs/fuse/fuse_internal.c
+++ b/sys/fs/fuse/fuse_internal.c
@ -390,6 +390,9 @@ fuse_internal_invalidate_entry(struct mount *mp, struct uio *uio)
 	if ((err = uiomove(&fnieo, sizeof(fnieo), uio)) != 0)
 		return (err);

+	if (fnieo.namelen > sizeof(name))
+		return (EINVAL);
+
 	if ((err = uiomove(name, fnieo.namelen, uio)) != 0)
 		return (err);
 	name[fnieo.namelen] = '\0';
--- a/sys/fs/fuse/fuse_vnops.c
+++ b/sys/fs/fuse/fuse_vnops.c
@ -504,7 +504,7 @@ fuse_vnop_bmap(struct vop_bmap_args *ap)
 	if (runp != NULL) {
 		error = fuse_vnode_size(vp, &filesize, td->td_ucred, td);
 		if (error == 0)
-			*runp = MIN(MAX(0, filesize / biosize - lbn - 1),
+			*runp = MIN(MAX(0, filesize / (off_t)biosize - lbn - 1),
 				    maxrun);
 		else
 			*runp = 0;