On Tue, 2022-01-25 at 18:18 -0800, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@xxxxxxxxxx>
>
> Syzbot tripped over the following complaint from the kernel:
>
> WARNING: CPU: 2 PID: 15402 at mm/util.c:597 kvmalloc_node+0x11e/0x125
> mm/util.c:597
>
> While trying to run XFS_IOC_GETBMAP against the following structure:
>
> struct getbmap fubar = {
> .bmv_count = 0x22dae649,
> };
>
> Obviously, this is a crazy huge value since the next thing that the
> ioctl would do is allocate 37GB of memory. This is enough to make
> kvmalloc mad, but isn't large enough to trip the validation
> functions.
> In other words, I'm fussing with checks that were **already
> sufficient**
> because that's easier than dealing with 644 internal bug
> reports. Yes,
> that's right, six hundred and forty-four.
>
> Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
This fix looks fine to me. Lets get it through. Thanks!
Reviewed-By: Allison Henderson <allison.henderson@xxxxxxxxxx>
> ---
> fs/xfs/xfs_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
> diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> index 03a6198c97f6..2515fe8299e1 100644
> --- a/fs/xfs/xfs_ioctl.c
> +++ b/fs/xfs/xfs_ioctl.c
> @@ -1464,7 +1464,7 @@ xfs_ioc_getbmap(
>
> if (bmx.bmv_count < 2)
> return -EINVAL;
> - if (bmx.bmv_count > ULONG_MAX / recsize)
> + if (bmx.bmv_count >= INT_MAX / recsize)
> return -ENOMEM;
>
> buf = kvcalloc(bmx.bmv_count, sizeof(*buf), GFP_KERNEL);
>
