[PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c
in [Kernel]
|
From: wzt.wzt on 16 Mar 2010 04:00 STATIC int xfs_compat_attrmulti_by_handle( struct file *parfilp, void __user *arg) { .... if (copy_from_user(&am_hreq, arg, sizeof(compat_xfs_fsop_attrmulti_handlereq_t))) return -XFS_ERROR(EFAULT); .... error = E2BIG; /* Not check the am_hreq.opcount max value from userspace, m_hreq.opcount * sizeof(compat_xfs_attr_multiop_t) can make integer overflow, and the if condition can be bypass. Though, it can not make security problem, but fix it maybe better. */ size = am_hreq.opcount * sizeof(compat_xfs_attr_multiop_t); if (!size || size > 16 * PAGE_SIZE) goto out_dput; .... } Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com> --- fs/xfs/linux-2.6/xfs_ioctl.c | 4 ++++ fs/xfs/linux-2.6/xfs_ioctl32.c | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c index 4ea1ee1..b05b3b7 100644 --- a/fs/xfs/linux-2.6/xfs_ioctl.c +++ b/fs/xfs/linux-2.6/xfs_ioctl.c @@ -526,6 +526,10 @@ xfs_attrmulti_by_handle( if (copy_from_user(&am_hreq, arg, sizeof(xfs_fsop_attrmulti_handlereq_t))) return -XFS_ERROR(EFAULT); + /* overflow check */ + if (am_hreq.opcount >= INT_MAX / sizeof(xfs_attr_multiop_t)) + return -ENOMEM; + dentry = xfs_handlereq_to_dentry(parfilp, &am_hreq.hreq); if (IS_ERR(dentry)) return PTR_ERR(dentry); diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c index 0bf6d61..7b8673e 100644 --- a/fs/xfs/linux-2.6/xfs_ioctl32.c +++ b/fs/xfs/linux-2.6/xfs_ioctl32.c @@ -419,6 +419,10 @@ xfs_compat_attrmulti_by_handle( sizeof(compat_xfs_fsop_attrmulti_handlereq_t))) return -XFS_ERROR(EFAULT); + /* overflow check */ + if (am_hreq.opcount >= INT_MAX / sizeof(compat_xfs_attr_multiop_t)) + return -ENOMEM; + dentry = xfs_compat_handlereq_to_dentry(parfilp, &am_hreq.hreq); if (IS_ERR(dentry)) return PTR_ERR(dentry); -- 1.6.5.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Pages: 1 Prev: memcg: dirty memory documentation Next: Remove GENHD_FL_DRIVERFS |