diff options
| author |   Sahitya Tummala <stummala@codeaurora.org> | 2019-09-17 10:19:23 +0530 |
|---|---|---|
| committer |   Jaegeuk Kim <jaegeuk@kernel.org> | 2019-09-17 13:56:15 -0700 |
| commit | fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e (patch) | |
| tree | 2f12ef343c175b800765c41ba913dc430059e50f /fs/f2fs | |
| parent | f2fs: fix to add missing F2FS_IO_ALIGNED() condition (diff) | |
| download | wireguard-linux-fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e.tar.xz wireguard-linux-fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e.zip | |
f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()
end = range.start + range.len;
If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.
This issue is reported in ioctl fuzz testing.
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Diffstat (limited to 'fs/f2fs')
| -rw-r--r-- | fs/f2fs/file.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index aea82f2b9240..e4b78fb3fc79 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg) return -EROFS; end = range.start + range.len; - if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) { + if (end < range.start || range.start < MAIN_BLKADDR(sbi) || + end >= MAX_BLKADDR(sbi)) return -EINVAL; - } ret = mnt_want_write_file(filp); if (ret) |