[RFC v2 2/2] fs: correctly check for signed integer overflow in vfs_fallocate

[Sasha Levin]

Both "offset" and "len" are signed integers who's addition may overflow
and trigger undefined behaviour.

Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
---
 fs/open.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/open.c b/fs/open.c
index 813be03..33d5cae 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -287,7 +287,8 @@ int vfs_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
 		return -ENODEV;
 
 	/* Check for wrap through zero too */
-	if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
+	if (check_add_overflow(offset, len) ||
+	   (offset + len) > inode->i_sb->s_maxbytes)
 		return -EFBIG;
 
 	if (!file->f_op->fallocate)
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/