Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3852200pxb; Tue, 10 Nov 2020 01:29:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJwBAtG+ZaX6AnN7R/tLGgC7fm7kTYNlPwkkdngWHs0PwmyvS1PBiF2Sh9qEoMyTCae/SP2S X-Received: by 2002:a05:6402:1585:: with SMTP id c5mr19438744edv.372.1605000547711; Tue, 10 Nov 2020 01:29:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605000547; cv=none; d=google.com; s=arc-20160816; b=qMGmMfkiIVQjCu0cjhximmG3teLT/SMyg7JzpLFLS0hzSOTKQYk6TcUNRLKpCcl5Fw gWihhIp4ORgGkNX7j9gvPsUw05eUZbMPMfHO9NTYXKvspGaX+Ea7AGm0d+bH5tvhZmCN VNNJqJe7Wyjd78/DRVWGV3NQImK6hvvYkf6NgmM5G/SPqBDxTh0X5uB7W6bnMk+BAGr1 6hJ5KLRV3fiLqsz8OhNpTE9pMSG5nKMzsQQvRXJoJwPYQo/j9XhxqkSGnKB/5viRb3Pf t36RaPxSXle8qCWFsPWfOgJcj/77jCee580t12PnbDSL41Z1gu8vgYL0wvWpWX4wFF0O D7Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=2SID6Srm4ZoLcaE9dQfDwiYleF4hw/Vs1PE5PYN2yEo=; b=STv2wykX35R32RyNAIoH3VauPEjmJTdsfhcMiz0x+7cPHdNjOtl+4aDUmFCyGQXjtW qeBbr/M3ykOCnUXQ8bGGSUghbkmkPuSiCgrOUZOiuYyemMPS5dUFM5Um73qKceKJi715 QVwIyaZ5WPcZSj2VvulFsOYMd4ade7D3k/F7ggDjszFGXz/7d5dmUJHiUIs3n+mOubq9 yBYHxsA8ILKp1RXe68aC9fNhW2l9H6NHs/PiqSsTLjGEp940giO9s8hMh7GNKHhBjrro xikHfqYUnKmOL20w5MpbVV9NCSiki0iP5tX23FlFBukYtQY2/n8ndYbbk/xwR7AUlLIN cLqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h10si4298989edn.589.2020.11.10.01.28.45; Tue, 10 Nov 2020 01:29:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729518AbgKJJ1F (ORCPT + 99 others); Tue, 10 Nov 2020 04:27:05 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:7165 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726825AbgKJJ1E (ORCPT ); Tue, 10 Nov 2020 04:27:04 -0500 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CVjDY4x5fz15RXC; Tue, 10 Nov 2020 17:26:53 +0800 (CST) Received: from localhost.localdomain (10.67.165.24) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Tue, 10 Nov 2020 17:26:54 +0800 From: Yicong Yang To: , CC: , , , , , Subject: [RESEND PATCH] libfs: fix error cast of negative value in simple_attr_write() Date: Tue, 10 Nov 2020 17:25:24 +0800 Message-ID: <1605000324-7428-1-git-send-email-yangyicong@hisilicon.com> X-Mailer: git-send-email 2.8.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.165.24] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The attr->set() receive a value of u64, but simple_strtoll() is used for doing the conversion. It will lead to the error cast if user inputs a negative value. Use kstrtoull() instead of simple_strtoll() to convert a string got from the user to an unsigned value. The former will return '-EINVAL' if it gets a negetive value, but the latter can't handle the situation correctly. Fixes: f7b88631a897 ("fs/libfs.c: fix simple_attr_write() on 32bit machines") Signed-off-by: Yicong Yang --- fs/libfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/libfs.c b/fs/libfs.c index fc34361..2dcf40e 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -977,7 +977,9 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, goto out; attr->set_buf[size] = '\0'; - val = simple_strtoll(attr->set_buf, NULL, 0); + ret = kstrtoull(attr->set_buf, 0, &val); + if (ret) + goto out; ret = attr->set(attr->data, val); if (ret == 0) ret = len; /* on success, claim we got the whole input */ -- 2.8.1