From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xi Wang Subject: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() Date: Fri, 3 Feb 2012 10:26:07 -0500 Message-ID: <1328282767-13158-1-git-send-email-xi.wang@gmail.com> Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; bh=ncqyt2Uqa9Sx7n9I8kEUR8obhXvv+mWRZ2vDGoetrWI=; b=cMg2TnPH7hKP8xaTqS+3sgksjBFzC6bBdYyS1TRpP0Q1iEdRtwuPV9+O7tl2vDbxr8 UYGMN8jZ+qsiCCwPZY0bXoIi9YD8wz49dx9Lu4F6TGSNRlTZbqLso2S4pRP6b2RytZJ9 RTOG4CjpHjf2R1o8j6IutREWPHvmwX2el4NpQ= Sender: linux-nilfs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: KONISHI Ryusuke Cc: linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Xi Wang , Haogang Chen , Andrew Morton nsegs is read from userspace. Limit its value and avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f. Signed-off-by: Xi Wang Cc: Haogang Chen Cc: Andrew Morton --- fs/nilfs2/ioctl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 8866496..2a70fce 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, nsegs = argv[4].v_nmembs; if (argv[4].v_size != argsz[4]) goto out; + if (nsegs > UINT_MAX / sizeof(__u64)) + goto out; /* * argv[4] points to segment numbers this ioctl cleans. We -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html