| Message ID | 20160413064059.GB8092@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Wed, Apr 13, 2016 at 09:40:59AM +0300, Dan Carpenter wrote: > The "sizeof(*arg->clone_sources) * arg->clone_sources_count" expression > can overflow. It causes several static checker warnings. It's all > under CAP_SYS_ADMIN so it's not that serious but lets silence the > warnings. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: David Sterba <dsterba@suse.com> -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 73dd5d6..6a8c860 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -5979,6 +5979,12 @@ long btrfs_ioctl_send(struct file *mnt_file, void __user *arg_) goto out; } + if (arg->clone_sources_count > + ULLONG_MAX / sizeof(*arg->clone_sources)) { + ret = -EINVAL; + goto out; + } + if (!access_ok(VERIFY_READ, arg->clone_sources, sizeof(*arg->clone_sources) * arg->clone_sources_count)) {
The "sizeof(*arg->clone_sources) * arg->clone_sources_count" expression can overflow. It causes several static checker warnings. It's all under CAP_SYS_ADMIN so it's not that serious but lets silence the warnings. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html