f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

end = range.start + range.len; If the range.start/range.len is a very large value, then end can overflow in this operation. It results into a crash in get_valid_blocks() when accessing the invalid range.start segno. This issue is reported in ioctl fuzz testing. Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Reviewed-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
author: Sahitya Tummala 2019-09-17 10:19:23 +0530
committer: Jaegeuk Kim 2019-09-17 13:56:15 -0700
commit: fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e (patch)
tree: 2f12ef343c175b800765c41ba913dc430059e50f
parent: 8223ecc456d079ef9b7a1fed237134cf62e9e870 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index aea82f2b9240..e4b78fb3fc79 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
 		return -EROFS;
 
 	end = range.start + range.len;
-	if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+	if (end < range.start || range.start < MAIN_BLKADDR(sbi) ||
+					end >= MAX_BLKADDR(sbi))
 		return -EINVAL;
-	}
 
 	ret = mnt_want_write_file(filp);
 	if (ret)
author	Sahitya Tummala	2019-09-17 10:19:23 +0530
committer	Jaegeuk Kim	2019-09-17 13:56:15 -0700
commit	fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e (patch)
tree	2f12ef343c175b800765c41ba913dc430059e50f
parent	8223ecc456d079ef9b7a1fed237134cf62e9e870 (diff)