diff options
| author | Sahitya Tummala <stummala@codeaurora.org> | 2019-09-17 00:49:23 -0400 |
|---|---|---|
| committer | Jaegeuk Kim <jaegeuk@kernel.org> | 2019-09-17 16:56:15 -0400 |
| commit | fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e (patch) | |
| tree | 2f12ef343c175b800765c41ba913dc430059e50f | |
| parent | 8223ecc456d079ef9b7a1fed237134cf62e9e870 (diff) | |
f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()
end = range.start + range.len;
If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.
This issue is reported in ioctl fuzz testing.
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
| -rw-r--r-- | fs/f2fs/file.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index aea82f2b9240..e4b78fb3fc79 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c | |||
| @@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) | |||
| 2264 | return -EROFS; | 2264 | return -EROFS; |
| 2265 | 2265 | ||
| 2266 | end = range.start + range.len; | 2266 | end = range.start + range.len; |
| 2267 | if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) { | 2267 | if (end < range.start || range.start < MAIN_BLKADDR(sbi) || |
| 2268 | end >= MAX_BLKADDR(sbi)) | ||
| 2268 | return -EINVAL; | 2269 | return -EINVAL; |
| 2269 | } | ||
| 2270 | 2270 | ||
| 2271 | ret = mnt_want_write_file(filp); | 2271 | ret = mnt_want_write_file(filp); |
| 2272 | if (ret) | 2272 | if (ret) |