fs/btrfs: Integer overflow in btrfs_ioctl_resize()
The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: Josef Bacik <jbacik@fb.com> Signed-off-by: Chris Mason <clm@fb.com>
This commit is contained in:
parent
c9ea7b24ce
commit
eb8052e015
@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
|
||||
}
|
||||
new_size = old_size - new_size;
|
||||
} else if (mod > 0) {
|
||||
if (new_size > ULLONG_MAX - old_size) {
|
||||
ret = -EINVAL;
|
||||
goto out_free;
|
||||
}
|
||||
new_size = old_size + new_size;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user