[PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()

From: Xi Wang
Date: Fri Feb 03 2012 - 10:28:44 EST

Next message: Andy Lutomirski: "Re: vsyscall=emulate regression"
Previous message: Cyrill Gorcunov: "[patch 2/4] syscalls, x86: Add __NR_kcmp syscall v7"
Next in thread: Ryusuke Konishi: "Re: [PATCH] nilfs2: avoid overflowing segment numbers innilfs_ioctl_clean_segments()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

nsegs is read from userspace. Limit its value and avoid overflowing
nsegs * sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.

Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
Cc: Haogang Chen <haogangchen@xxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/nilfs2/ioctl.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 8866496..2a70fce 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
+ if (nsegs > UINT_MAX / sizeof(__u64))
+ goto out;

/*
* argv[4] points to segment numbers this ioctl cleans. We
--
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "Re: vsyscall=emulate regression"
Previous message: Cyrill Gorcunov: "[patch 2/4] syscalls, x86: Add __NR_kcmp syscall v7"
Next in thread: Ryusuke Konishi: "Re: [PATCH] nilfs2: avoid overflowing segment numbers innilfs_ioctl_clean_segments()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]