pidfs: validate extensible ioctls

[ Upstream commit 3c17001b21 ] Validate extensible ioctls stricter than we do now. Reviewed-by: Aleksa Sarai <cyphar@cyphar.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-12-06 10:00:17 +00:00 · 2025-09-12 13:52:24 +02:00
parent 9f0f659ea9
commit bf0fbf5e8b
2 changed files with 15 additions and 1 deletions
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -440,7 +440,7 @@ static bool pidfs_ioctl_valid(unsigned int cmd)
 		 * erronously mistook the file descriptor for a pidfd.
 		 * This is not perfect but will catch most cases.
 		 */
-		return (_IOC_TYPE(cmd) == _IOC_TYPE(PIDFD_GET_INFO));
+		return extensible_ioctl_valid(cmd, PIDFD_GET_INFO, PIDFD_INFO_SIZE_VER0);
 	}

 	return false;
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -4025,4 +4025,18 @@ static inline bool vfs_empty_path(int dfd, const char __user *path)

 int generic_atomic_write_valid(struct kiocb *iocb, struct iov_iter *iter);

+static inline bool extensible_ioctl_valid(unsigned int cmd_a,
+					  unsigned int cmd_b, size_t min_size)
+{
+	if (_IOC_DIR(cmd_a) != _IOC_DIR(cmd_b))
+		return false;
+	if (_IOC_TYPE(cmd_a) != _IOC_TYPE(cmd_b))
+		return false;
+	if (_IOC_NR(cmd_a) != _IOC_NR(cmd_b))
+		return false;
+	if (_IOC_SIZE(cmd_a) < min_size)
+		return false;
+	return true;
+}
+
 #endif /* _LINUX_FS_H */