Haogang Chen
481fe17e97
nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() ...
There is a potential integer overflow in nilfs_ioctl_clean_segments().
When a large argv[n].v_nmembs is passed from the userspace, the subsequent
call to vmalloc() will allocate a buffer smaller than expected, which
leads to out-of-bound access in nilfs_ioctl_move_blocks() and
lfs_clean_segments().
The following check does not prevent the overflow because nsegs is also
controlled by the userspace and could be very large.
if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
goto out_free;
This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
returns -EINVAL when overflow.
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-12-20 10:25:04 -08:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-12-16 12:15:50 -08:00
2011-07-20 01:44:21 -04:00
2011-12-13 11:59:53 -08:00
2011-12-08 22:04:47 -06:00
2011-11-02 12:53:43 +01:00
2011-12-13 12:35:15 -05:00
2011-07-17 23:22:02 -04:00
2011-08-22 17:41:48 -07:00
2011-11-02 12:53:43 +01:00
2011-07-25 22:49:19 -07:00
2011-11-23 15:43:53 -06:00
2011-11-02 12:53:43 +01:00
2011-11-06 19:44:47 -08:00
2011-11-02 11:41:01 -07:00
2011-11-02 11:41:01 -07:00
2011-12-13 22:29:12 -05:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-07-21 10:59:16 -07:00
2011-12-14 18:23:35 -08:00
2011-11-06 19:44:47 -08:00
2011-11-15 14:29:42 -02:00
2011-11-02 12:53:43 +01:00
2011-11-02 11:41:01 -07:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-02 16:07:27 -07:00
2011-11-01 19:04:59 -04:00
2011-11-01 19:09:18 -04:00
2011-11-07 09:11:16 -08:00
2011-11-06 19:44:47 -08:00
2011-09-14 08:21:48 -04:00
2011-11-06 19:44:47 -08:00
2011-11-19 11:13:28 -05:00
2011-12-14 00:45:33 -05:00
2011-11-22 08:54:15 -08:00
2011-11-06 19:44:47 -08:00
2011-12-20 10:25:04 -08:00
2011-07-26 16:49:47 -07:00
2011-11-02 12:53:43 +01:00
2011-12-01 14:55:34 -08:00
2011-07-26 13:05:28 -04:00
2011-11-02 12:53:43 +01:00
2011-10-31 17:30:54 -07:00
2011-12-14 18:22:55 -08:00
2011-11-17 12:58:07 -08:00
2011-11-02 12:53:43 +01:00
2011-11-06 19:02:23 -08:00
2011-11-02 16:06:58 -07:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-11-04 16:48:37 -07:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:43 +01:00
2011-12-13 12:35:13 -05:00
2011-11-02 11:41:01 -07:00
2011-11-02 12:53:43 +01:00
2011-12-06 14:19:47 -06:00
2011-11-02 16:07:03 -07:00
2011-07-26 12:57:09 -04:00
2011-08-09 10:31:03 +10:00
2011-07-20 20:47:59 -04:00
2011-07-20 01:43:10 -04:00
2011-11-02 16:06:58 -07:00
2011-11-02 12:53:43 +01:00
2011-10-31 19:30:31 -04:00
2011-11-16 09:21:50 +01:00
2011-11-04 17:22:14 -07:00
2011-11-06 19:02:23 -08:00
2011-08-07 22:24:41 -07:00
2011-10-31 17:30:44 -07:00
2011-12-06 23:57:18 -05:00
2011-05-31 16:33:35 +02:00
2011-10-28 14:58:58 +02:00
2011-05-25 08:39:26 -07:00
2011-10-31 17:30:57 -07:00
2011-10-31 17:30:45 -07:00
2011-07-26 16:49:47 -07:00
2011-11-29 15:50:28 +08:00
2011-08-01 02:10:06 -04:00
2011-11-02 12:53:43 +01:00
2011-07-20 01:44:38 -04:00
2011-10-31 19:30:31 -04:00
2011-10-31 17:30:45 -07:00
2011-11-02 12:53:43 +01:00
2011-10-25 15:42:01 +02:00
2011-10-27 08:36:51 +02:00
2011-05-25 08:39:26 -07:00
2011-05-26 10:01:43 -06:00
2011-11-07 14:58:06 -08:00
2011-12-06 23:57:18 -05:00
2011-10-28 14:59:00 +02:00
2011-10-31 17:30:51 -07:00
2011-10-28 14:58:54 +02:00
2011-10-31 17:30:44 -07:00
2011-12-06 23:57:18 -05:00
2011-07-25 20:57:11 -07:00
2011-11-02 12:53:43 +01:00
2011-11-02 12:53:42 +01:00
2011-11-04 18:15:59 -07:00
2011-11-02 12:53:42 +01:00
2011-10-31 00:33:36 +08:00
2011-06-14 11:46:14 +02:00
2011-07-18 12:29:43 -04:00
481fe17e97