> On Jan 25, 2022, at 6:18 PM, Darrick J. Wong <djwong@xxxxxxxxxx> wrote:
>
> From: Darrick J. Wong <djwong@xxxxxxxxxx>
>
> Syzbot tripped over the following complaint from the kernel:
>
> WARNING: CPU: 2 PID: 15402 at mm/util.c:597 kvmalloc_node+0x11e/0x125 mm/util.c:597
>
> While trying to run XFS_IOC_GETBMAP against the following structure:
>
> struct getbmap fubar = {
> .bmv_count = 0x22dae649,
> };
>
> Obviously, this is a crazy huge value since the next thing that the
> ioctl would do is allocate 37GB of memory. This is enough to make
> kvmalloc mad, but isn't large enough to trip the validation functions.
> In other words, I'm fussing with checks that were **already sufficient**
> because that's easier than dealing with 644 internal bug reports. Yes,
> that's right, six hundred and forty-four.
>
> Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> ---
> fs/xfs/xfs_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Looks good,
Reviewed-by: Catherine Hoang <catherine.hoang@xxxxxxxxxx>
>
> diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> index 03a6198c97f6..2515fe8299e1 100644
> --- a/fs/xfs/xfs_ioctl.c
> +++ b/fs/xfs/xfs_ioctl.c
> @@ -1464,7 +1464,7 @@ xfs_ioc_getbmap(
>
> if (bmx.bmv_count < 2)
> return -EINVAL;
> - if (bmx.bmv_count > ULONG_MAX / recsize)
> + if (bmx.bmv_count >= INT_MAX / recsize)
> return -ENOMEM;
>
> buf = kvcalloc(bmx.bmv_count, sizeof(*buf), GFP_KERNEL);
>
