[PATCH] fs/btrfs: Integer overflow in btrfs_ioctl

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] fs/btrfs: Integer overflow in btrfs_ioctl_resize()
@ 2013-12-20  7:28 Wenliang Fan
  0 siblings, 0 replies; only message in thread
From: Wenliang Fan @ 2013-12-20  7:28 UTC (permalink / raw)
  To: clm, jbacik; +Cc: linux-btrfs, linux-kernel, Wenliang Fan

The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
	new_size = old_size + new_size;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
---
 fs/btrfs/ioctl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 21da576..92f7707 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1466,6 +1466,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
 		}
 		new_size = old_size - new_size;
 	} else if (mod > 0) {
+		if (new_size > ULLONG_MAX - old_size) {
+			ret = -EINVAL;
+			goto out_free;
+		}
 		new_size = old_size + new_size;
 	}
 
-- 
1.8.5.rc1.28.g7061504


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2013-12-20  7:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-20  7:28 [PATCH] fs/btrfs: Integer overflow in btrfs_ioctl_resize() Wenliang Fan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).