fix multiplication overflow in copy_fdtable()

stable inclusion from linux-4.19.125 commit b23af87aabc04ee63935b7f80664f2b36f74fdef -------------------------------- [ Upstream commit 4e89b721 ] cpy and set really should be size_t; we won't get an overflow on that, since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *), so nr that would've managed to overflow size_t on that multiplication won't get anywhere near copy_fdtable() - we'll fail with EMFILE before that. Cc: stable@kernel.org # v2.6.25+ Fixes: 9cfe015a (get rid of NR_OPEN and introduce a sysctl_nr_open) Reported-by: N Thiago Macieira <thiago.macieira@intel.com> Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

fix multiplication overflow in copy_fdtable()
stable inclusion from linux-4.19.125 commit b23af87aabc04ee63935b7f80664f2b36f74fdef -------------------------------- [ Upstream commit 4e89b721 ] cpy and set really should be size_t; we won't get an overflow on that, since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *), so nr that would've managed to overflow size_t on that multiplication won't get anywhere near copy_fdtable() - we'll fail with EMFILE before that. Cc: stable@kernel.org # v2.6.25+ Fixes: 9cfe015a (get rid of NR_OPEN and introduce a sysctl_nr_open) Reported-by: N Thiago Macieira <thiago.macieira@intel.com> Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
99c3b2db · Al Viro · Yang Yingliang · 1a3d8645 · 99c3b2db
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/file.c fs/file.c +1 -1

未找到文件。
--- a/fs/file.c
+++ b/fs/file.c
@@ -71,7 +71,7 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,
 */
 static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt)
 {
-	unsigned int cpy, set;
+	size_t cpy, set;

 	BUG_ON(nfdt->max_fds < ofdt->max_fds);