fuse: prevent overflow in copy_file_range return value

The FUSE protocol uses struct fuse_write_out to convey the return value of
copy_file_range, which is restricted to uint32_t.  But the COPY_FILE_RANGE
interface supports a 64-bit size copies.

Currently the number of bytes copied is silently truncated to 32-bit, which
may result in poor performance or even failure to copy in case of
truncation to zero.

Reported-by: Florian Weimer <fweimer@redhat.com>
Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/
Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 45207a6bb85fb667200a0221e2b1a536960d8e74..4adcf09d4b01a6a5522563315c3da2e767a7e341 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2960,7 +2960,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
                .nodeid_out = ff_out->nodeid,
                .fh_out = ff_out->fh,
                .off_out = pos_out,
-               .len = len,
+               .len = min_t(size_t, len, UINT_MAX & PAGE_MASK),
                .flags = flags
        };
        struct fuse_write_out outarg;