From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Hellwig Subject: [PATCH 2/3] hfsplus: fix overflow in hfsplus_read_wrapper Date: Tue, 15 Feb 2011 14:14:43 +0100 Message-ID: <20110215131443.GB6720@lst.de> References: <20110215131433.GA6720@lst.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii To: linux-fsdevel@vger.kernel.org Return-path: Received: from verein.lst.de ([213.95.11.210]:59057 "EHLO verein.lst.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751197Ab1BONOo (ORCPT ); Tue, 15 Feb 2011 08:14:44 -0500 Received: from verein.lst.de (localhost [127.0.0.1]) by verein.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id p1FDEhE5006751 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 15 Feb 2011 14:14:43 +0100 Received: (from hch@localhost) by verein.lst.de (8.12.3/8.12.3/Debian-7.2) id p1FDEhEQ006750 for linux-fsdevel@vger.kernel.org; Tue, 15 Feb 2011 14:14:43 +0100 Content-Disposition: inline In-Reply-To: <20110215131433.GA6720@lst.de> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: For partitions larger than 2TB or at such an offset the hfs wrapper code in hfsplus might overflow the range representable in a 32-bit data type. Make sure we use a sector_t for the arithmetics leading to it. I'm not sure this code can be readed at all as hfs itself never supported such large volumes. Signed-off-by: Christoph Hellwig Index: linux-2.6/fs/hfsplus/wrapper.c =================================================================== --- linux-2.6.orig/fs/hfsplus/wrapper.c 2011-02-15 13:42:59.676423416 +0100 +++ linux-2.6/fs/hfsplus/wrapper.c 2011-02-15 13:43:40.711164800 +0100 @@ -169,8 +169,9 @@ reread: if (!hfsplus_read_mdb(sbi->s_vhdr, &wd)) goto out_free_backup_vhdr; wd.ablk_size >>= HFSPLUS_SECTOR_SHIFT; - part_start += wd.ablk_start + wd.embed_start * wd.ablk_size; - part_size = wd.embed_count * wd.ablk_size; + part_start += (sector_t)wd.ablk_start + + (sector_t)wd.embed_start * wd.ablk_size; + part_size = (sector_t)wd.embed_count * wd.ablk_size; goto reread; default: /*