Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933298AbdLVI5c (ORCPT ); Fri, 22 Dec 2017 03:57:32 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:35916 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932361AbdLVI50 (ORCPT ); Fri, 22 Dec 2017 03:57:26 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , David Sterba , Sasha Levin Subject: [PATCH 4.9 066/104] Btrfs: fix an integer overflow check Date: Fri, 22 Dec 2017 09:46:32 +0100 Message-Id: <20171222084614.591918571@linuxfoundation.org> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20171222084609.262099650@linuxfoundation.org> References: <20171222084609.262099650@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1765 Lines: 52 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter [ Upstream commit 457ae7268b29c33dee1c0feb143a15f6029d177b ] This isn't super serious because you need CAP_ADMIN to run this code. I added this integer overflow check last year but apparently I am rubbish at writing integer overflow checks... There are two issues. First, access_ok() works on unsigned long type and not u64 so on 32 bit systems the access_ok() could be checking a truncated size. The other issue is that we should be using a stricter limit so we don't overflow the kzalloc() setting ctx->clone_roots later in the function after the access_ok(): alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1); sctx->clone_roots = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN); Fixes: f5ecec3ce21f ("btrfs: send: silence an integer overflow warning") Signed-off-by: Dan Carpenter Reviewed-by: David Sterba [ added comment ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/send.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -6196,8 +6196,13 @@ long btrfs_ioctl_send(struct file *mnt_f goto out; } + /* + * Check that we don't overflow at later allocations, we request + * clone_sources_count + 1 items, and compare to unsigned long inside + * access_ok. + */ if (arg->clone_sources_count > - ULLONG_MAX / sizeof(*arg->clone_sources)) { + ULONG_MAX / sizeof(struct clone_root) - 1) { ret = -EINVAL; goto out; }