xfs: fix over-copying of getbmap parameters from userspace

In xfs_ioc_getbmap, we should only copy the fields of struct getbmap
from userspace, or else we end up copying random stack contents into the
kernel.  struct getbmap is a strict subset of getbmapx, so a partial
structure copy should work fine.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 2fd7fdf5438f0be85220b9981bff09efce773079..6d30b06e79bcb4a7ec716a2000258fb65b706475 100644 (file)
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1543,10 +1543,11 @@ xfs_ioc_getbmap(
        unsigned int            cmd,
        void                    __user *arg)
 {
-       struct getbmapx         bmx;
+       struct getbmapx         bmx = { 0 };
        int                     error;
 
-       if (copy_from_user(&bmx, arg, sizeof(struct getbmapx)))
+       /* struct getbmap is a strict subset of struct getbmapx. */
+       if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags)))
                return -EFAULT;
 
        if (bmx.bmv_count < 2)