Commit 1ecd3c7e authored by Xi Wang's avatar Xi Wang Committed by Linus Torvalds
Browse files

nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() 



nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").

Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Acked-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 98e96852

fs/nilfs2/ioctl.c

+2 −0
Original line number Diff line number Diff line
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, 
	nsegs = argv[4].v_nmembs;

	if (argv[4].v_size != argsz[4])

		goto out;

	if (nsegs > UINT_MAX / sizeof(__u64))

		goto out;



	/*

	 * argv[4] points to segment numbers this ioctl cleans.  We

CRA Git | Maintained and supported by SUSTech CRA and CCSE