diff options
| author | Xi Wang <xi.wang@gmail.com> | 2012-02-08 20:13:37 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-02-08 22:03:51 -0500 |
| commit | 1ecd3c7ea76488c63b4b0a2561fd7eaf96cc8028 (patch) | |
| tree | 3bc88fd0b4fd61c86141c66e86cf5492753bcd22 | |
| parent | 98e96852480566333f6dacd3223f0be15df34d60 (diff) | |
nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
nsegs is read from userspace. Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().
This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/nilfs2/ioctl.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 886649627c3d..2a70fce70c65 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c | |||
| @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, | |||
| 603 | nsegs = argv[4].v_nmembs; | 603 | nsegs = argv[4].v_nmembs; |
| 604 | if (argv[4].v_size != argsz[4]) | 604 | if (argv[4].v_size != argsz[4]) |
| 605 | goto out; | 605 | goto out; |
| 606 | if (nsegs > UINT_MAX / sizeof(__u64)) | ||
| 607 | goto out; | ||
| 606 | 608 | ||
| 607 | /* | 609 | /* |
| 608 | * argv[4] points to segment numbers this ioctl cleans. We | 610 | * argv[4] points to segment numbers this ioctl cleans. We |