stuartl/linux-mainline
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux synced 2025-10-30 10:41:34 +10:00
Code Issues Releases Wiki Activity
724577ca35
linux-mainline/fs/nilfs2
History
Haogang Chen 481fe17e97 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() 
There is a potential integer overflow in nilfs_ioctl_clean_segments().
When a large argv[n].v_nmembs is passed from the userspace, the subsequent
call to vmalloc() will allocate a buffer smaller than expected, which
leads to out-of-bound access in nilfs_ioctl_move_blocks() and
lfs_clean_segments().

The following check does not prevent the overflow because nsegs is also
controlled by the userspace and could be very large.

		if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
			goto out_free;

This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
returns -EINVAL when overflow.

Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-12-20 10:25:04 -08:00
..
alloc.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
alloc.h
bmap.c nilfs2: get rid of NILFS_I_NILFS 2011-05-10 22:21:56 +09:00
bmap.h
btnode.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
btnode.h nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
btree.c nilfs2: fix missing block address termination in btree node shrinking 2011-06-11 15:51:15 +09:00
btree.h
cpfile.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
cpfile.h
dat.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
dat.h
dir.c
direct.c
direct.h
export.h
file.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
gcinode.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
ifile.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
ifile.h
inode.c filesystems: add set_nlink() 2011-11-02 12:53:43 +01:00
ioctl.c nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() 2011-12-20 10:25:04 -08:00
Kconfig
Makefile
mdt.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
mdt.h nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
namei.c filesystems: add set_nlink() 2011-11-02 12:53:43 +01:00
nilfs.h treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
page.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
page.h nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
recovery.c nilfs2: use list_first_entry 2011-05-10 22:21:56 +09:00
segbuf.c nilfs2: super root size should change depending on inode size 2011-05-10 22:21:44 +09:00
segbuf.h
segment.c nilfs2: fix problem in setting checkpoint interval 2011-06-11 15:51:15 +09:00
segment.h nilfs2: get rid of private page allocator 2011-05-10 22:21:44 +09:00
sufile.c nilfs2: use mark_buffer_dirty to mark btnode or meta data dirty 2011-05-10 22:21:57 +09:00
sufile.h nilfs2: get rid of NILFS_I_NILFS 2011-05-10 22:21:56 +09:00
super.c nilfs2: always set back pointer to host inode in mapping->host 2011-05-10 22:21:57 +09:00
the_nilfs.c nilfs2: implement resize ioctl 2011-05-10 22:21:46 +09:00
the_nilfs.h nilfs2: implement resize ioctl 2011-05-10 22:21:46 +09:00