forked from luck/tmp_suning_uos_patched
481fe17e97
There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen <haogangchen@gmail.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
---|---|---|
.. | ||
alloc.c | ||
alloc.h | ||
bmap.c | ||
bmap.h | ||
btnode.c | ||
btnode.h | ||
btree.c | ||
btree.h | ||
cpfile.c | ||
cpfile.h | ||
dat.c | ||
dat.h | ||
dir.c | ||
direct.c | ||
direct.h | ||
export.h | ||
file.c | ||
gcinode.c | ||
ifile.c | ||
ifile.h | ||
inode.c | ||
ioctl.c | ||
Kconfig | ||
Makefile | ||
mdt.c | ||
mdt.h | ||
namei.c | ||
nilfs.h | ||
page.c | ||
page.h | ||
recovery.c | ||
segbuf.c | ||
segbuf.h | ||
segment.c | ||
segment.h | ||
sufile.c | ||
sufile.h | ||
super.c | ||
the_nilfs.c | ||
the_nilfs.h |