On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote:
> "offset + len" has the potential of overflowing. Validate this user input
> first to avoid undefined behaviour.
>
> Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
> ---
> mm/shmem.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index 185836b..5a0e344 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
> }
>
> /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
> + error = -EOVERFLOW;
> + if ((u64)len + offset < (u64)len)
> + goto out;
Hi Sasha,
It seems to me that we already do some overflow check in common path,
do_fallocate():
/* Check for wrap through zero too */
if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
return -EFBIG;
Do we really need another check?
And this patch changes the return value of fallocate(2), so you need
update man document.
BTW, when I'm reading your patch, I noticed that returning -EOVERFLOW
(rather than -EFBIG) looks better when ((offset + len) < 0) in
do_fallocate() is true.
Thanks,
Naoya Horiguchi
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href