hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB5UKT
--------------------------------
The ondemand_id must have been initialised before the open request was copied to the userland. Therefore, if ondemand_id is 0 at the time of copen, this is a malicious injected command, so -EINVAL is returned.
Signed-off-by: Baokun Li libaokun1@huawei.com --- fs/cachefiles/ondemand.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c index cf996eadd1af..9f3e7d994aed 100644 --- a/fs/cachefiles/ondemand.c +++ b/fs/cachefiles/ondemand.c @@ -181,7 +181,8 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args)
xa_lock(&cache->reqs); req = radix_tree_lookup(&cache->reqs, id); - if (!req || req->msg.opcode != CACHEFILES_OP_OPEN) { + if (!req || req->msg.opcode != CACHEFILES_OP_OPEN || + !req->object->private->ondemand_id) { xa_unlock(&cache->reqs); return -EINVAL; }