diff mbox series

block: fix a unsigned integer overflow which could bypass check

Message ID 20201127012945.410-1-charley.ashbringer@gmail.com (mailing list archive)
State New, archived
Headers show
Series block: fix a unsigned integer overflow which could bypass check | expand

Commit Message

Changming Nov. 27, 2020, 1:29 a.m. UTC 
From: Changming Liu <charley.ashbringer@gmail.com>

start, and len are 64 unsigned integers and
purely from user-space, thus star + len can
wrap-around and bypass the check at

start + len > i_size_read(bdev->bd_inode)

This overflowed value can cause trouble
after passed in truncate_bdev_range.

To fix this, a wrap-around check is added just
like in blk_ioctl_zeroout, so that such the
overflowed value can be rejected.

Signed-off-by: Changming Liu <charley.ashbringer@gmail.com>
---
 block/ioctl.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/block/ioctl.c b/block/ioctl.c
index 3fbc382eb926..3fddb1fe5b35 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -133,6 +133,8 @@  static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
 
 	if (start + len > i_size_read(bdev->bd_inode))
 		return -EINVAL;
+	if (start + len < start)
+		return -EINVAL;
 
 	err = truncate_bdev_range(bdev, mode, start, start + len - 1);
 	if (err)