[PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-03 15:26 Xi Wang
  2012-02-04  3:13 ` Ryusuke Konishi
  0 siblings, 1 reply; 3+ messages in thread
From: Xi Wang @ 2012-02-03 15:26 UTC (permalink / raw)
  To: KONISHI Ryusuke
  Cc: linux-nilfs, linux-kernel, Xi Wang, Haogang Chen, Andrew Morton

nsegs is read from userspace.  Limit its value and avoid overflowing
nsegs * sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
 fs/nilfs2/ioctl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 8866496..2a70fce 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 	nsegs = argv[4].v_nmembs;
 	if (argv[4].v_size != argsz[4])
 		goto out;
+	if (nsegs > UINT_MAX / sizeof(__u64))
+		goto out;
 
 	/*
 	 * argv[4] points to segment numbers this ioctl cleans.  We
-- 
1.7.5.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
  2012-02-03 15:26 [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() Xi Wang
@ 2012-02-04  3:13 ` Ryusuke Konishi
  2012-02-04  4:36   ` Andrew Morton
  0 siblings, 1 reply; 3+ messages in thread
From: Ryusuke Konishi @ 2012-02-04  3:13 UTC (permalink / raw)
  To: xi.wang, akpm; +Cc: linux-nilfs, linux-kernel, haogangchen

On Fri,  3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> nsegs is read from userspace.  Limit its value and avoid overflowing
> nsegs * sizeof(__u64) in the subsequent call to memdup_user().
> 
> This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
> 
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Haogang Chen <haogangchen@gmail.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> ---
>  fs/nilfs2/ioctl.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>


Thank you for posting this fix.

Andrew, could you send this uptream in this cycle ?

Ryusuke Konishi

> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index 8866496..2a70fce 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
>  	nsegs = argv[4].v_nmembs;
>  	if (argv[4].v_size != argsz[4])
>  		goto out;
> +	if (nsegs > UINT_MAX / sizeof(__u64))
> +		goto out;
>  
>  	/*
>  	 * argv[4] points to segment numbers this ioctl cleans.  We
> -- 
> 1.7.5.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
  2012-02-04  3:13 ` Ryusuke Konishi
@ 2012-02-04  4:36   ` Andrew Morton
  0 siblings, 0 replies; 3+ messages in thread
From: Andrew Morton @ 2012-02-04  4:36 UTC (permalink / raw)
  To: Ryusuke Konishi; +Cc: xi.wang, linux-nilfs, linux-kernel, haogangchen

On Sat, 04 Feb 2012 12:13:02 +0900 (JST) Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> wrote:

> On Fri,  3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> > nsegs is read from userspace.  Limit its value and avoid overflowing
> > nsegs * sizeof(__u64) in the subsequent call to memdup_user().
> > 
> > This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
> > 
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > Cc: Haogang Chen <haogangchen@gmail.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > ---
> >  fs/nilfs2/ioctl.c |    2 ++
> >  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
> 
> 
> Thank you for posting this fix.
> 
> Andrew, could you send this uptream in this cycle ?

I sure can.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-02-04  4:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-03 15:26 [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() Xi Wang
2012-02-04  3:13 ` Ryusuke Konishi
2012-02-04  4:36   ` Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox