linux/fs/nilfs2
Haogang Chen 481fe17e97 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
There is a potential integer overflow in nilfs_ioctl_clean_segments().
When a large argv[n].v_nmembs is passed from the userspace, the subsequent
call to vmalloc() will allocate a buffer smaller than expected, which
leads to out-of-bound access in nilfs_ioctl_move_blocks() and
lfs_clean_segments().

The following check does not prevent the overflow because nsegs is also
controlled by the userspace and could be very large.

		if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
			goto out_free;

This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
returns -EINVAL when overflow.

Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-12-20 10:25:04 -08:00
..
alloc.c
alloc.h
bmap.c
bmap.h
btnode.c
btnode.h
btree.c nilfs2: fix missing block address termination in btree node shrinking 2011-06-11 15:51:15 +09:00
btree.h
cpfile.c
cpfile.h
dat.c
dat.h
dir.c
direct.c
direct.h
export.h
file.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
gcinode.c
ifile.c
ifile.h
inode.c filesystems: add set_nlink() 2011-11-02 12:53:43 +01:00
ioctl.c nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() 2011-12-20 10:25:04 -08:00
Kconfig
Makefile
mdt.c
mdt.h
namei.c filesystems: add set_nlink() 2011-11-02 12:53:43 +01:00
nilfs.h treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
page.c
page.h
recovery.c
segbuf.c
segbuf.h
segment.c nilfs2: fix problem in setting checkpoint interval 2011-06-11 15:51:15 +09:00
segment.h
sufile.c
sufile.h
super.c
the_nilfs.c
the_nilfs.h