fs/btrfs: Integer overflow in btrfs_ioctl_resize()
authorWenliang Fan <fanwlexca@gmail.com>
Fri, 20 Dec 2013 07:28:56 +0000 (15:28 +0800)
committerChris Mason <clm@fb.com>
Tue, 28 Jan 2014 21:20:11 +0000 (13:20 -0800)
The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
new_size = old_size + new_size;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Chris Mason <clm@fb.com>
fs/btrfs/ioctl.c

index edf5f0093f22292199cb828b40ffa321bafef1b5..ed3edc2832554b429c460428a1e57656d2822481 100644 (file)
@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
                }
                new_size = old_size - new_size;
        } else if (mod > 0) {
+               if (new_size > ULLONG_MAX - old_size) {
+                       ret = -EINVAL;
+                       goto out_free;
+               }
                new_size = old_size + new_size;
        }