On Fri, 3 Feb 2012 10:26:07 -0500, Xi Wang wrote: > nsegs is read from userspace. Limit its value and avoid overflowing > nsegs * sizeof(__u64) in the subsequent call to memdup_user(). > > This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f. > > Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx> > Cc: Haogang Chen <haogangchen@xxxxxxxxx> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > fs/nilfs2/ioctl.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) Acked-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> Thank you for posting this fix. Andrew, could you send this uptream in this cycle ? Ryusuke Konishi > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c > index 8866496..2a70fce 100644 > --- a/fs/nilfs2/ioctl.c > +++ b/fs/nilfs2/ioctl.c > @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, > nsegs = argv[4].v_nmembs; > if (argv[4].v_size != argsz[4]) > goto out; > + if (nsegs > UINT_MAX / sizeof(__u64)) > + goto out; > > /* > * argv[4] points to segment numbers this ioctl cleans. We > -- > 1.7.5.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
