From: Vitaly Osipov <vitaly.osipov@gmail.com>
Date: Sat, 26 Apr 2014 15:08:21 +0000 (+1000)
Subject: staging: lustre: check for integer overflow
X-Git-Tag: firefly_0821_release~176^2~3465^2~39^2~1116
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7bc3dfa37ba6f6ea81c362eb1993bd20c0828eae;p=firefly-linux-kernel-4.4.55.git

staging: lustre: check for integer overflow

In ll_ioctl_fiemap(), a user-supplied value is used to calculate a
length of a buffer which is later allocated with user data.

Signed-off-by: Vitaly Osipov <vitaly.osipov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/lustre/lustre/llite/file.c b/drivers/staging/lustre/lustre/llite/file.c
index 562e33751197..d87f96d9e0fa 100644
--- a/drivers/staging/lustre/lustre/llite/file.c
+++ b/drivers/staging/lustre/lustre/llite/file.c
@@ -1829,6 +1829,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg)
 	if (get_user(extent_count,
 	    &((struct ll_user_fiemap __user *)arg)->fm_extent_count))
 		return -EFAULT;
+
+	if (extent_count >=
+	    (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+		return -EINVAL;
 	num_bytes = sizeof(*fiemap_s) + (extent_count *
 					 sizeof(struct ll_fiemap_extent));