| From 684a3ff7e69acc7c678d1a1394fe9e757993fd34 Mon Sep 17 00:00:00 2001 |
| From: Li Wang <liwang@nudt.edu.cn> |
| Date: Thu, 19 Jan 2012 09:44:36 +0800 |
| Subject: eCryptfs: Infinite loop due to overflow in ecryptfs_write() |
| |
| From: Li Wang <liwang@nudt.edu.cn> |
| |
| commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 upstream. |
| |
| ecryptfs_write() can enter an infinite loop when truncating a file to a |
| size larger than 4G. This only happens on architectures where size_t is |
| represented by 32 bits. |
| |
| This was caused by a size_t overflow due to it incorrectly being used to |
| store the result of a calculation which uses potentially large values of |
| type loff_t. |
| |
| [tyhicks@canonical.com: rewrite subject and commit message] |
| Signed-off-by: Li Wang <liwang@nudt.edu.cn> |
| Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn> |
| Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Signed-off-by: Tyler Hicks <tyhicks@canonical.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ecryptfs/read_write.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/fs/ecryptfs/read_write.c |
| +++ b/fs/ecryptfs/read_write.c |
| @@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs |
| pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); |
| size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); |
| size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); |
| - size_t total_remaining_bytes = ((offset + size) - pos); |
| + loff_t total_remaining_bytes = ((offset + size) - pos); |
| |
| if (fatal_signal_pending(current)) { |
| rc = -EINTR; |
| @@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs |
| num_bytes = total_remaining_bytes; |
| if (pos < offset) { |
| /* remaining zeros to write, up to destination offset */ |
| - size_t total_remaining_zeros = (offset - pos); |
| + loff_t total_remaining_zeros = (offset - pos); |
| |
| if (num_bytes > total_remaining_zeros) |
| num_bytes = total_remaining_zeros; |