• D
    btrfs: fix signed overflows in btrfs_sync_file · 9dcbeed4
    David Sterba 提交于
    The calculation of range length in btrfs_sync_file leads to signed
    overflow. This was caught by PaX gcc SIZE_OVERFLOW plugin.
    
    https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
    
    The fsync call passes 0 and LLONG_MAX, the range length does not fit to
    loff_t and overflows, but the value is converted to u64 so it silently
    works as expected.
    
    The minimal fix is a typecast to u64, switching functions to take
    (start, end) instead of (start, len) would be more intrusive.
    
    Coccinelle script found that there's one more opencoded calculation of
    the length.
    
    <smpl>
    @@
    loff_t start, end;
    @@
    * end - start
    </smpl>
    
    CC: stable@vger.kernel.org
    Signed-off-by: NDavid Sterba <dsterba@suse.com>
    Signed-off-by: NChris Mason <clm@fb.com>
    9dcbeed4
file.c 79.3 KB