From: Wenliang Fan Date: Fri, 20 Dec 2013 07:28:56 +0000 (+0800) Subject: fs/btrfs: Integer overflow in btrfs_ioctl_resize() X-Git-Tag: firefly_0821_release~176^2~3883^2~225 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=eb8052e015f2c015926db45943f8ee724ace97e5;p=firefly-linux-kernel-4.4.55.git fs/btrfs: Integer overflow in btrfs_ioctl_resize() The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan Signed-off-by: Josef Bacik Signed-off-by: Chris Mason --- diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index edf5f0093f22..ed3edc283255 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file, } new_size = old_size - new_size; } else if (mod > 0) { + if (new_size > ULLONG_MAX - old_size) { + ret = -EINVAL; + goto out_free; + } new_size = old_size + new_size; }