| From foo@baz Thu Dec 21 09:02:40 CET 2017 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 17 Mar 2017 23:51:20 +0300 |
| Subject: Btrfs: fix an integer overflow check |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| |
| [ Upstream commit 457ae7268b29c33dee1c0feb143a15f6029d177b ] |
| |
| This isn't super serious because you need CAP_ADMIN to run this code. |
| |
| I added this integer overflow check last year but apparently I am |
| rubbish at writing integer overflow checks... There are two issues. |
| First, access_ok() works on unsigned long type and not u64 so on 32 bit |
| systems the access_ok() could be checking a truncated size. The other |
| issue is that we should be using a stricter limit so we don't overflow |
| the kzalloc() setting ctx->clone_roots later in the function after the |
| access_ok(): |
| |
| alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1); |
| sctx->clone_roots = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN); |
| |
| Fixes: f5ecec3ce21f ("btrfs: send: silence an integer overflow warning") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: David Sterba <dsterba@suse.com> |
| [ added comment ] |
| Signed-off-by: David Sterba <dsterba@suse.com> |
| |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/btrfs/send.c | 7 ++++++- |
| 1 file changed, 6 insertions(+), 1 deletion(-) |
| |
| --- a/fs/btrfs/send.c |
| +++ b/fs/btrfs/send.c |
| @@ -6196,8 +6196,13 @@ long btrfs_ioctl_send(struct file *mnt_f |
| goto out; |
| } |
| |
| + /* |
| + * Check that we don't overflow at later allocations, we request |
| + * clone_sources_count + 1 items, and compare to unsigned long inside |
| + * access_ok. |
| + */ |
| if (arg->clone_sources_count > |
| - ULLONG_MAX / sizeof(*arg->clone_sources)) { |
| + ULONG_MAX / sizeof(struct clone_root) - 1) { |
| ret = -EINVAL; |
| goto out; |
| } |