From patchwork Fri Dec 20 07:28:56 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenliang Fan X-Patchwork-Id: 3386171 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D4AD99F314 for ; Fri, 20 Dec 2013 07:29:31 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 02A50206D7 for ; Fri, 20 Dec 2013 07:29:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 43D34206AD for ; Fri, 20 Dec 2013 07:29:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753993Ab3LTH3O (ORCPT ); Fri, 20 Dec 2013 02:29:14 -0500 Received: from mail-pa0-f43.google.com ([209.85.220.43]:44017 "EHLO mail-pa0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752457Ab3LTH3O (ORCPT ); Fri, 20 Dec 2013 02:29:14 -0500 Received: by mail-pa0-f43.google.com with SMTP id bj1so2274266pad.16 for ; Thu, 19 Dec 2013 23:29:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=j4F0T4meOcDgxcESEG4D+gM36N6gFrKwpeVTVP+A0bM=; b=iAUynCfJqGofvKnR0epRAYKsFdlzI7cpAnpLh9sO0gDV1EPtWgyL/EMrju4cvnakkE yzbyRmI9MSf5dbrh44F0/GuKRK6OZOrLgXhNo9pvWpUu4xf1loJ6UBpXzL5Zg7yNgbsB YFyXzZ2jvXjx0UO5dS0MQ8vDTQoD/I690j5Ga6unjCkSvROikKiukmFx+1FNpOZaoL5n JAmAjrViVxuvkV759v6ljhHaiGV8VIatnMNfIg1YgVhaDUV6ti2qH7aKBQl50f0M/x/z Qglr6Q8jGgv6LdfNQ/ASNu6eydwOi0Tk0s8/HGGHhAtDX0VyJLb0Os8az/OPUqn8egt4 wFGA== X-Received: by 10.66.137.7 with SMTP id qe7mr6788333pab.40.1387524553528; Thu, 19 Dec 2013 23:29:13 -0800 (PST) Received: from localhost ([166.111.131.12]) by mx.google.com with ESMTPSA id dq3sm12150737pbc.35.2013.12.19.23.29.09 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 19 Dec 2013 23:29:12 -0800 (PST) From: Wenliang Fan To: clm@fb.com, jbacik@fb.com Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Wenliang Fan Subject: [PATCH] fs/btrfs: Integer overflow in btrfs_ioctl_resize() Date: Fri, 20 Dec 2013 15:28:56 +0800 Message-Id: <1387524536-29828-1-git-send-email-fanwlexca@gmail.com> X-Mailer: git-send-email 1.8.5.rc1.28.g7061504 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan --- fs/btrfs/ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 21da576..92f7707 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -1466,6 +1466,10 @@ static noinline int btrfs_ioctl_resize(struct file *file, } new_size = old_size - new_size; } else if (mod > 0) { + if (new_size > ULLONG_MAX - old_size) { + ret = -EINVAL; + goto out_free; + } new_size = old_size + new_size; }