| From 9a9512d0e4913257d3eeb31a1e096ef090371300 Mon Sep 17 00:00:00 2001 |
| From: Coly Li <colyli@suse.de> |
| Date: Thu, 20 Dec 2018 22:31:25 +0800 |
| Subject: [PATCH 11/11] bcache: fix input overflow to cache set sysfs file |
| io_error_halflife |
| |
| Cache set sysfs entry io_error_halflife is used to set c->error_decay. |
| c->error_decay is in type unsigned int, and it is converted by |
| strtoul_or_return(), therefore overflow to c->error_decay is possible |
| for a large input value. |
| |
| This patch fixes the overflow by using strtoul_safe_clamp() to convert |
| input string to an unsigned long value in range [0, UINT_MAX], then |
| divides by 88 and set it to c->error_decay. |
| |
| Signed-off-by: Coly Li <colyli@suse.de> |
| --- |
| drivers/md/bcache/sysfs.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c |
| index 9c80e816de5d..8721e2f5fff6 100644 |
| --- a/drivers/md/bcache/sysfs.c |
| +++ b/drivers/md/bcache/sysfs.c |
| @@ -792,8 +792,14 @@ STORE(__bch_cache_set) |
| sysfs_strtoul_clamp(io_error_limit, c->error_limit, 0, UINT_MAX); |
| |
| /* See count_io_errors() for why 88 */ |
| - if (attr == &sysfs_io_error_halflife) |
| - c->error_decay = strtoul_or_return(buf) / 88; |
| + if (attr == &sysfs_io_error_halflife) { |
| + long v; |
| + |
| + v = strtoul_safe_clamp(buf, v, 0, UINT_MAX); |
| + if (v < 0) |
| + return v; |
| + c->error_decay = v / 88; |
| + } |
| |
| if (attr == &sysfs_io_disable) { |
| v = strtoul_or_return(buf); |
| -- |
| 2.16.4 |
| |
