diff options
| author | Wenliang Fan | 2013-12-20 15:28:56 +0800 |
|---|---|---|
| committer | Chris Mason | 2014-01-28 13:20:11 -0800 |
| commit | eb8052e015f2c015926db45943f8ee724ace97e5 (patch) | |
| tree | 0bc0bbe9ac1804dd4a3e658f2a17efb59328ac6b | |
| parent | c9ea7b24ce5863d65efb1134319cede160674d41 (diff) | |
fs/btrfs: Integer overflow in btrfs_ioctl_resize()
The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
new_size = old_size + new_size;
Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Chris Mason <clm@fb.com>
| -rw-r--r-- | fs/btrfs/ioctl.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index edf5f0093f22..ed3edc283255 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file, } new_size = old_size - new_size; } else if (mod > 0) { + if (new_size > ULLONG_MAX - old_size) { + ret = -EINVAL; + goto out_free; + } new_size = old_size + new_size; } |