On Mon, 2013-12-30 at 15:29 +0800, Wenliang Fan wrote: > Check before entering into cycle. > > The local variable 'pos' comes from userspace. If a large number was > passed, there would be an integer overflow in the following line: > pos += n; > > Signed-off-by: Wenliang Fan <fanwlexca@xxxxxxxxx> > --- > fs/nilfs2/ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c > index b44bdb2..a260a98 100644 > --- a/fs/nilfs2/ioctl.c > +++ b/fs/nilfs2/ioctl.c > @@ -65,6 +65,8 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, > ret = 0; > total = 0; > pos = argv->v_index; > + if (pos > ULONG_MAX - argv->v_nmembs) I'd prefer to use brackets during condition checking. But it is only my preferences. > + return -EINVAL; I think that you have an issue in this code. It is called __get_free_pages before your code (please, see http://lxr.free-electrons.com/source/fs/nilfs2/ioctl.c#L60). But you simply returns -EINVAL without free_pages() call. So, I think that it is memory leak. Thanks, Vyacheslav Dubeyko. > for (i = 0; i < argv->v_nmembs; i += n) { > n = (argv->v_nmembs - i < maxmembs) ? > argv->v_nmembs - i : maxmembs; -- To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
