xfs
[Top] [All Lists]

[PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c

To: linux-kernel@xxxxxxxxxxxxxxx
Subject: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c
From: wzt.wzt@xxxxxxxxx
Date: Tue, 16 Mar 2010 23:53:50 +0800
Cc: xfs-masters@xxxxxxxxxxx, xfs@xxxxxxxxxxx, aelder@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=JpVmQMytgxAX8lizEqZ9a6U+LKsUyEQ9gMNmAm6XBHw=; b=mtRZuq7ph8HFMKbf3OXFu1MXI4nZqnIemWNlVsXMBdRwv456d7N477AvM9msnCFMqN LyIK5Rw2aNPkZCkGGVJdIHtVcN2kyNrW1b4fufh5Cp7INNZuXLQiVh03mmFwZXr4x5CW 8AQJ7vYkfRx+IUDRIviJRFy4UcwWtWTwVXUhQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=Ps6oO7fknGjiecPIyr1Ye9VMHgpiTZPqkIbkOk7TY2nrBdLTtKXH0/+LvBXatc5ikO 9UnbqDC2FtsPscKC8VpUCKVRAktJecgRgoUQoxNT0VsuVHWe22eMlbGf28hCRKtF5fi9 I0ujKqZD4mt6P/M68ETMYQYr+ICL6X/h2BN00=
User-agent: Mutt/1.4.2.2i
STATIC int
xfs_compat_attrmulti_by_handle(
        struct file                             *parfilp,
        void                                    __user *arg)
{
...
        if (copy_from_user(&am_hreq, arg,
                           sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
                return -XFS_ERROR(EFAULT);
...
        error = E2BIG;
        /* Not check the am_hreq.opcount max value from userspace, 
        m_hreq.opcount * sizeof(compat_xfs_attr_multiop_t) can make
        integer overflow, and the if condition can be bypass. Though,
        it can not make security problem, but fix it maybe better. */
        size = am_hreq.opcount * sizeof(compat_xfs_attr_multiop_t);
        if (!size || size > 16 * PAGE_SIZE)
                goto out_dput;
...
}

Signed-off-by: Zhitong Wang <zhitong.wangzt@xxxxxxxxxxxxxxx>

---
 fs/xfs/linux-2.6/xfs_ioctl.c   |    4 ++++
 fs/xfs/linux-2.6/xfs_ioctl32.c |    4 ++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
index 4ea1ee1..b05b3b7 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -526,6 +526,10 @@ xfs_attrmulti_by_handle(
        if (copy_from_user(&am_hreq, arg, 
sizeof(xfs_fsop_attrmulti_handlereq_t)))
                return -XFS_ERROR(EFAULT);
 
+       /* overflow check */
+       if (am_hreq.opcount >= INT_MAX / sizeof(xfs_attr_multiop_t))
+               return -ENOMEM;
+
        dentry = xfs_handlereq_to_dentry(parfilp, &am_hreq.hreq);
        if (IS_ERR(dentry))
                return PTR_ERR(dentry);
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
index 0bf6d61..7b8673e 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -419,6 +419,10 @@ xfs_compat_attrmulti_by_handle(
                           sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
                return -XFS_ERROR(EFAULT);
 
+       /* overflow check */
+       if (am_hreq.opcount >= INT_MAX / sizeof(compat_xfs_attr_multiop_t))
+               return -ENOMEM;
+
        dentry = xfs_compat_handlereq_to_dentry(parfilp, &am_hreq.hreq);
        if (IS_ERR(dentry))
                return PTR_ERR(dentry);
-- 
1.6.5.3

<Prev in Thread] Current Thread [Next in Thread>