pidfs: validate extensible ioctls

Validate extensible ioctls stricter than we do now.

Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/pidfs.c b/fs/pidfs.c
index edc35522d75c49ce0d1fc1f777a77d03ab7855c7..0a5083b9cce5b88d8d95307f6ea7910ac3b8c20e 100644 (file)
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -440,7 +440,7 @@ static bool pidfs_ioctl_valid(unsigned int cmd)
                 * erronously mistook the file descriptor for a pidfd.
                 * This is not perfect but will catch most cases.
                 */
-               return (_IOC_TYPE(cmd) == _IOC_TYPE(PIDFD_GET_INFO));
+               return extensible_ioctl_valid(cmd, PIDFD_GET_INFO, PIDFD_INFO_SIZE_VER0);
        }
 
        return false;

diff --git a/include/linux/fs.h b/include/linux/fs.h
index d7ab4f96d7051f23246c1a16a2d09b1ffcd2d5de..2f2edc53bf3c85c1f38f03a9d1af266a59fb2e6f 100644 (file)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -4023,4 +4023,18 @@ static inline bool vfs_empty_path(int dfd, const char __user *path)
 
 int generic_atomic_write_valid(struct kiocb *iocb, struct iov_iter *iter);
 
+static inline bool extensible_ioctl_valid(unsigned int cmd_a,
+                                         unsigned int cmd_b, size_t min_size)
+{
+       if (_IOC_DIR(cmd_a) != _IOC_DIR(cmd_b))
+               return false;
+       if (_IOC_TYPE(cmd_a) != _IOC_TYPE(cmd_b))
+               return false;
+       if (_IOC_NR(cmd_a) != _IOC_NR(cmd_b))
+               return false;
+       if (_IOC_SIZE(cmd_a) < min_size)
+               return false;
+       return true;
+}
+
 #endif /* _LINUX_FS_H */