fs/btrfs: Integer overflow in btrfs_ioctl_resize()

The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: N Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: N Josef Bacik <jbacik@fb.com> Signed-off-by: N Chris Mason <clm@fb.com>

fs/btrfs: Integer overflow in btrfs_ioctl_resize()
The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: N Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: N Josef Bacik <jbacik@fb.com> Signed-off-by: N Chris Mason <clm@fb.com>
eb8052e0 · Wenliang Fan · Chris Mason · c9ea7b24 · eb8052e0
显示空白变更内容
内联并排

Showing with 4 addition and 0 deletion

fs/btrfs/ioctl.c fs/btrfs/ioctl.c +4 -0

未找到文件。
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
 		}
 		new_size = old_size - new_size;
 	} else if (mod > 0) {
+		if (new_size > ULLONG_MAX - old_size) {
+			ret = -EINVAL;
+			goto out_free;
+		}
 		new_size = old_size + new_size;
 	}