From patchwork Wed Feb  9 14:12:46 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Rosenberg <drosenberg@vsecurity.com>
X-Patchwork-Id: 544151
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p19EKZMc006914
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed, 9 Feb 2011 14:20:37 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755413Ab1BIOUc (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Wed, 9 Feb 2011 09:20:32 -0500
Received: from mx1.vsecurity.com ([209.67.252.12]:63433 "EHLO
	mx1.vsecurity.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755260Ab1BIOUc (ORCPT
	<rfc822; linux-btrfs@vger.kernel.org>); Wed, 9 Feb 2011 09:20:32 -0500
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]);
	Wed, 09 Feb 2011 14:20:53 +0000 (UTC)
X-Greylist: delayed 459 seconds by postgrey-1.27 at vger.kernel.org;
	Wed, 09 Feb 2011 09:20:31 EST
Received: (qmail 51727 invoked from network); 9 Feb 2011 14:10:25 -0000
Received: from c-98-229-66-118.hsd1.ma.comcast.net (HELO [192.168.1.146])
	(drosenbe@[98.229.66.118])
	(envelope-sender <drosenberg@vsecurity.com>)
	by mx1.vsecurity.com (qmail-ldap-1.03) with SMTP
	for <chris.mason@oracle.com>; 9 Feb 2011 14:10:25 -0000
Subject: [PATCH] btrfs: prevent heap corruption in btrfs_ioctl_space_info()
From: Dan Rosenberg <drosenberg@vsecurity.com>
To: chris.mason@oracle.com
Cc: security@kernel.org, linux-btrfs@vger.kernel.org,
	linux-kernel@vger.kernel.org, stable@kernel.org
Date: Wed, 09 Feb 2011 09:12:46 -0500
Message-ID: <1297260766.2327.40.camel@dan>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3 
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org


diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 02d224e..f1a43df 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2208,7 +2208,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
 	int num_types = 4;
 	int alloc_size;
 	int ret = 0;
-	int slot_count = 0;
+	u64 slot_count = 0;
 	int i, c;
 
 	if (copy_from_user(&space_args,
@@ -2247,7 +2247,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
 		goto out;
 	}
 
-	slot_count = min_t(int, space_args.space_slots, slot_count);
+	slot_count = min_t(u64, space_args.space_slots, slot_count);
 
 	alloc_size = sizeof(*dest) * slot_count;
 
@@ -2267,6 +2267,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
 	for (i = 0; i < num_types; i++) {
 		struct btrfs_space_info *tmp;
 
+		/* Don't copy in more than we allocated */
+		if (!slot_count)
+			break;
+
+		slot_count--;
+
 		info = NULL;
 		rcu_read_lock();
 		list_for_each_entry_rcu(tmp, &root->fs_info->space_info,