| To: | linux-kernel@xxxxxxxxxxxxxxx |
|---|---|
| Subject: | [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c |
| From: | wzt.wzt@xxxxxxxxx |
| Date: | Tue, 16 Mar 2010 23:53:50 +0800 |
| Cc: | xfs-masters@xxxxxxxxxxx, xfs@xxxxxxxxxxx, aelder@xxxxxxx |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=JpVmQMytgxAX8lizEqZ9a6U+LKsUyEQ9gMNmAm6XBHw=; b=mtRZuq7ph8HFMKbf3OXFu1MXI4nZqnIemWNlVsXMBdRwv456d7N477AvM9msnCFMqN LyIK5Rw2aNPkZCkGGVJdIHtVcN2kyNrW1b4fufh5Cp7INNZuXLQiVh03mmFwZXr4x5CW 8AQJ7vYkfRx+IUDRIviJRFy4UcwWtWTwVXUhQ= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=Ps6oO7fknGjiecPIyr1Ye9VMHgpiTZPqkIbkOk7TY2nrBdLTtKXH0/+LvBXatc5ikO 9UnbqDC2FtsPscKC8VpUCKVRAktJecgRgoUQoxNT0VsuVHWe22eMlbGf28hCRKtF5fi9 I0ujKqZD4mt6P/M68ETMYQYr+ICL6X/h2BN00= |
| User-agent: | Mutt/1.4.2.2i |
STATIC int
xfs_compat_attrmulti_by_handle(
struct file *parfilp,
void __user *arg)
{
...
if (copy_from_user(&am_hreq, arg,
sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
return -XFS_ERROR(EFAULT);
...
error = E2BIG;
/* Not check the am_hreq.opcount max value from userspace,
m_hreq.opcount * sizeof(compat_xfs_attr_multiop_t) can make
integer overflow, and the if condition can be bypass. Though,
it can not make security problem, but fix it maybe better. */
size = am_hreq.opcount * sizeof(compat_xfs_attr_multiop_t);
if (!size || size > 16 * PAGE_SIZE)
goto out_dput;
...
}
Signed-off-by: Zhitong Wang <zhitong.wangzt@xxxxxxxxxxxxxxx>
---
fs/xfs/linux-2.6/xfs_ioctl.c | 4 ++++
fs/xfs/linux-2.6/xfs_ioctl32.c | 4 ++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
index 4ea1ee1..b05b3b7 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -526,6 +526,10 @@ xfs_attrmulti_by_handle(
if (copy_from_user(&am_hreq, arg,
sizeof(xfs_fsop_attrmulti_handlereq_t)))
return -XFS_ERROR(EFAULT);
+ /* overflow check */
+ if (am_hreq.opcount >= INT_MAX / sizeof(xfs_attr_multiop_t))
+ return -ENOMEM;
+
dentry = xfs_handlereq_to_dentry(parfilp, &am_hreq.hreq);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
index 0bf6d61..7b8673e 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -419,6 +419,10 @@ xfs_compat_attrmulti_by_handle(
sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
return -XFS_ERROR(EFAULT);
+ /* overflow check */
+ if (am_hreq.opcount >= INT_MAX / sizeof(compat_xfs_attr_multiop_t))
+ return -ENOMEM;
+
dentry = xfs_compat_handlereq_to_dentry(parfilp, &am_hreq.hreq);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
--
1.6.5.3
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Bug 873] New: xfstests #182 fails with recent quota change, bugzilla-daemon |
|---|---|
| Next by Date: | [Bug 15516] Assertion failed: __xfs_iflags_test(ip, XFS_IRECLAIMABLE), bugzilla-daemon |
| Previous by Thread: | [Bug 873] New: xfstests #182 fails with recent quota change, bugzilla-daemon |
| Next by Thread: | Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c, Dave Chinner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |