| To: | linux-kernel@xxxxxxxxxxxxxxx |
|---|---|
| Subject: | [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c |
| From: | wzt.wzt@xxxxxxxxx |
| Date: | Wed, 17 Mar 2010 11:19:47 +0800 |
| Cc: | xfs-masters@xxxxxxxxxxx, aelder@xxxxxxx, david@xxxxxxxxxxxxx |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=4QMwXuAxe/fN6DAd05f1/3iwUBT3MT3rYJzyX0X2rUk=; b=jQDcfbhZYV1Yt2bE/eo0CKcvOZYsijLwsTrDsMmerTuSzOPzf8c3XyypUVAeuu4pu6 450tS8lAqXPAQsjoQfqYvPYtGr3d37xDn1BdRMDA9KwQHH7hyqawexba1iKukS2NKg9v Oyg3y55NBSFJTySGlxDnr0c2OiOQEnTqZ7knY= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=Kt+wHG/CO6FY0i6V+f3Je85pm/gq9hnNYJly3Ut6tiU8MTRXJmF2tymyPHb1fPvDMl z3hkrvR7xKBxmVDHNKkKDqW3qn+csWTN9YmQiW0zKAjdq6BSQ/YXEy0AzZ5wtFW4Lhon aQq26P6Q1WNhpcDsoDp6BCc56B9ZGCIcxL7dc= |
| User-agent: | Mutt/1.4.2.2i |
The am_hreq.opcount field in the xfs_attrmulti_by_handle() interface
is not bounded correctly. The opcount is used to determine the size
of the buffer required. The size is bounded, but can overflow and so
the size checks may not be sufficient to catch invalid opcounts.
Fix it by catching opcount values that would cause overflows before
calculating the size.
Signed-off-by: Zhitong Wang <zhitong.wangzt@xxxxxxxxxxxxxxx>
---
fs/xfs/linux-2.6/xfs_ioctl.c | 4 ++++
fs/xfs/linux-2.6/xfs_ioctl32.c | 4 ++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
index a034cf6..b716ec8 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -526,6 +526,10 @@ xfs_attrmulti_by_handle(
if (copy_from_user(&am_hreq, arg,
sizeof(xfs_fsop_attrmulti_handlereq_t)))
return -XFS_ERROR(EFAULT);
+ /* overflow check */
+ if (am_hreq.opcount >= INT_MAX / sizeof(xfs_attr_multiop_t))
+ return -E2BIG;
+
dentry = xfs_handlereq_to_dentry(parfilp, &am_hreq.hreq);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
index be1527b..c9d9d5e 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -419,6 +419,10 @@ xfs_compat_attrmulti_by_handle(
sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
return -XFS_ERROR(EFAULT);
+ /* overflow check */
+ if (am_hreq.opcount >= INT_MAX / sizeof(compat_xfs_attr_multiop_t))
+ return -E2BIG;
+
dentry = xfs_compat_handlereq_to_dentry(parfilp, &am_hreq.hreq);
if (IS_ERR(dentry))
return PTR_ERR(dentry);
--
1.6.5.3
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c, wzt wzt |
|---|---|
| Next by Date: | Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c, Dave Chinner |
| Previous by Thread: | Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c, wzt wzt |
| Next by Thread: | Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c, Dave Chinner |
| Indexes: | [Date] [Thread] [Top] [All Lists] |