Subject: + fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy.patch added to -mm tree To: fanwlexca@xxxxxxxxx,konishi.ryusuke@xxxxxxxxxxxxx,slava@xxxxxxxxxxx From: akpm@xxxxxxxxxxxxxxxxxxxx Date: Fri, 03 Jan 2014 16:10:23 -0800 The patch titled Subject: fs/nilfs2: fix integer overflow in nilfs_ioctl_wrap_copy() has been added to the -mm tree. Its filename is fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Wenliang Fan <fanwlexca@xxxxxxxxx> Subject: fs/nilfs2: fix integer overflow in nilfs_ioctl_wrap_copy() Check before entering into cycle. The local variable 'pos' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: pos += n; Signed-off-by: Wenliang Fan <fanwlexca@xxxxxxxxx> Cc: Vyacheslav Dubeyko <slava@xxxxxxxxxxx> Cc: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/nilfs2/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff -puN fs/nilfs2/ioctl.c~fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy fs/nilfs2/ioctl.c --- a/fs/nilfs2/ioctl.c~fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy +++ a/fs/nilfs2/ioctl.c @@ -57,6 +57,9 @@ static int nilfs_ioctl_wrap_copy(struct if (argv->v_size > PAGE_SIZE) return -EINVAL; + if (argv->v_index > (~(__u64)0 - argv->v_nmembs)) + return -EINVAL; + buf = (void *)__get_free_pages(GFP_NOFS, 0); if (unlikely(!buf)) return -ENOMEM; _ Patches currently in -mm which might be from fanwlexca@xxxxxxxxx are origin.patch fs-nilfs2-fix-integer-overflow-in-nilfs_ioctl_wrap_copy.patch linux-next.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html