fanotify: sanitize handle_type values when reporting fid

Unlike file_handle, type and len of struct fanotify_fh are u8.
Traditionally, filesystem return handle_type < 0xff, but there
is no enforecement for that in vfs.

Add a sanity check in fanotify to avoid truncating handle_type
if its value is > 0xff.

Fixes: 7cdafe6cc4a6 ("exportfs: check for error return value from exportfs_encode_*()")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250627104835.184495-1-amir73il@gmail.com

diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 3083643b864b838f832ce0d3a7d9af67fbe6aa60..bfe884d624e7b2cfd4825adb35e26af437128c06 100644 (file)
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -454,7 +454,13 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode,
        dwords = fh_len >> 2;
        type = exportfs_encode_fid(inode, buf, &dwords);
        err = -EINVAL;
-       if (type <= 0 || type == FILEID_INVALID || fh_len != dwords << 2)
+       /*
+        * Unlike file_handle, type and len of struct fanotify_fh are u8.
+        * Traditionally, filesystem return handle_type < 0xff, but there
+        * is no enforecement for that in vfs.
+        */
+       BUILD_BUG_ON(MAX_HANDLE_SZ > 0xff || FILEID_INVALID > 0xff);
+       if (type <= 0 || type >= FILEID_INVALID || fh_len != dwords << 2)
                goto out_err;
 
        fh->type = type;