481fe17e97
There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen <haogangchen@gmail.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| alloc.c | ||
| alloc.h | ||
| bmap.c | ||
| bmap.h | ||
| btnode.c | ||
| btnode.h | ||
| btree.c | ||
| btree.h | ||
| cpfile.c | ||
| cpfile.h | ||
| dat.c | ||
| dat.h | ||
| dir.c | ||
| direct.c | ||
| direct.h | ||
| export.h | ||
| file.c | ||
| gcinode.c | ||
| ifile.c | ||
| ifile.h | ||
| inode.c | ||
| ioctl.c | ||
| Kconfig | ||
| Makefile | ||
| mdt.c | ||
| mdt.h | ||
| namei.c | ||
| nilfs.h | ||
| page.c | ||
| page.h | ||
| recovery.c | ||
| segbuf.c | ||
| segbuf.h | ||
| segment.c | ||
| segment.h | ||
| sufile.c | ||
| sufile.h | ||
| super.c | ||
| the_nilfs.c | ||
| the_nilfs.h | ||