| From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> |
| Subject: nilfs2: fix possible int overflows in nilfs_fiemap() |
| Date: Sat, 25 Jan 2025 07:20:53 +0900 |
| |
| Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result |
| by being prepared to go through potentially maxblocks == INT_MAX blocks, |
| the value in n may experience an overflow caused by left shift of blkbits. |
| |
| While it is extremely unlikely to occur, play it safe and cast right hand |
| expression to wider type to mitigate the issue. |
| |
| Found by Linux Verification Center (linuxtesting.org) with static analysis |
| tool SVACE. |
| |
| Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com |
| Fixes: 622daaff0a89 ("nilfs2: fiemap support") |
| Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> |
| Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| fs/nilfs2/inode.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/fs/nilfs2/inode.c~nilfs2-fix-possible-int-overflows-in-nilfs_fiemap |
| +++ a/fs/nilfs2/inode.c |
| @@ -1186,7 +1186,7 @@ int nilfs_fiemap(struct inode *inode, st |
| if (size) { |
| if (phys && blkphy << blkbits == phys + size) { |
| /* The current extent goes on */ |
| - size += n << blkbits; |
| + size += (u64)n << blkbits; |
| } else { |
| /* Terminate the current extent */ |
| ret = fiemap_fill_next_extent( |
| @@ -1199,14 +1199,14 @@ int nilfs_fiemap(struct inode *inode, st |
| flags = FIEMAP_EXTENT_MERGED; |
| logical = blkoff << blkbits; |
| phys = blkphy << blkbits; |
| - size = n << blkbits; |
| + size = (u64)n << blkbits; |
| } |
| } else { |
| /* Start a new extent */ |
| flags = FIEMAP_EXTENT_MERGED; |
| logical = blkoff << blkbits; |
| phys = blkphy << blkbits; |
| - size = n << blkbits; |
| + size = (u64)n << blkbits; |
| } |
| blkoff += n; |
| } |
| _ |
