* [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-03 15:26 ` Xi Wang
0 siblings, 0 replies; 6+ messages in thread
From: Xi Wang @ 2012-02-03 15:26 UTC (permalink / raw
To: KONISHI Ryusuke
Cc: linux-nilfs, linux-kernel, Xi Wang, Haogang Chen, Andrew Morton
nsegs is read from userspace. Limit its value and avoid overflowing
nsegs * sizeof(__u64) in the subsequent call to memdup_user().
This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Cc: Haogang Chen <haogangchen@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
fs/nilfs2/ioctl.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 8866496..2a70fce 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
+ if (nsegs > UINT_MAX / sizeof(__u64))
+ goto out;
/*
* argv[4] points to segment numbers this ioctl cleans. We
--
1.7.5.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-03 15:26 ` Xi Wang
0 siblings, 0 replies; 6+ messages in thread
From: Xi Wang @ 2012-02-03 15:26 UTC (permalink / raw
To: KONISHI Ryusuke
Cc: linux-nilfs-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA, Xi Wang, Haogang Chen,
Andrew Morton
nsegs is read from userspace. Limit its value and avoid overflowing
nsegs * sizeof(__u64) in the subsequent call to memdup_user().
This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
Signed-off-by: Xi Wang <xi.wang-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Haogang Chen <haogangchen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
---
fs/nilfs2/ioctl.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 8866496..2a70fce 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
+ if (nsegs > UINT_MAX / sizeof(__u64))
+ goto out;
/*
* argv[4] points to segment numbers this ioctl cleans. We
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-04 3:13 ` Ryusuke Konishi
0 siblings, 0 replies; 6+ messages in thread
From: Ryusuke Konishi @ 2012-02-04 3:13 UTC (permalink / raw
To: xi.wang, akpm; +Cc: linux-nilfs, linux-kernel, haogangchen
On Fri, 3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> nsegs is read from userspace. Limit its value and avoid overflowing
> nsegs * sizeof(__u64) in the subsequent call to memdup_user().
>
> This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Haogang Chen <haogangchen@gmail.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> ---
> fs/nilfs2/ioctl.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Thank you for posting this fix.
Andrew, could you send this uptream in this cycle ?
Ryusuke Konishi
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index 8866496..2a70fce 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
> nsegs = argv[4].v_nmembs;
> if (argv[4].v_size != argsz[4])
> goto out;
> + if (nsegs > UINT_MAX / sizeof(__u64))
> + goto out;
>
> /*
> * argv[4] points to segment numbers this ioctl cleans. We
> --
> 1.7.5.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-04 3:13 ` Ryusuke Konishi
0 siblings, 0 replies; 6+ messages in thread
From: Ryusuke Konishi @ 2012-02-04 3:13 UTC (permalink / raw
To: xi.wang-Re5JQEeQqe8AvxtiuMwx3w,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b
Cc: linux-nilfs-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
haogangchen-Re5JQEeQqe8AvxtiuMwx3w
On Fri, 3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> nsegs is read from userspace. Limit its value and avoid overflowing
> nsegs * sizeof(__u64) in the subsequent call to memdup_user().
>
> This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
>
> Signed-off-by: Xi Wang <xi.wang-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Cc: Haogang Chen <haogangchen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
> ---
> fs/nilfs2/ioctl.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
Acked-by: Ryusuke Konishi <konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org>
Thank you for posting this fix.
Andrew, could you send this uptream in this cycle ?
Ryusuke Konishi
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index 8866496..2a70fce 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
> nsegs = argv[4].v_nmembs;
> if (argv[4].v_size != argsz[4])
> goto out;
> + if (nsegs > UINT_MAX / sizeof(__u64))
> + goto out;
>
> /*
> * argv[4] points to segment numbers this ioctl cleans. We
> --
> 1.7.5.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-04 4:36 ` Andrew Morton
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2012-02-04 4:36 UTC (permalink / raw
To: Ryusuke Konishi; +Cc: xi.wang, linux-nilfs, linux-kernel, haogangchen
On Sat, 04 Feb 2012 12:13:02 +0900 (JST) Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> wrote:
> On Fri, 3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> > nsegs is read from userspace. Limit its value and avoid overflowing
> > nsegs * sizeof(__u64) in the subsequent call to memdup_user().
> >
> > This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
> >
> > Signed-off-by: Xi Wang <xi.wang@gmail.com>
> > Cc: Haogang Chen <haogangchen@gmail.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > ---
> > fs/nilfs2/ioctl.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
>
> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
>
>
> Thank you for posting this fix.
>
> Andrew, could you send this uptream in this cycle ?
I sure can.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
@ 2012-02-04 4:36 ` Andrew Morton
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2012-02-04 4:36 UTC (permalink / raw
To: Ryusuke Konishi
Cc: xi.wang-Re5JQEeQqe8AvxtiuMwx3w,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
haogangchen-Re5JQEeQqe8AvxtiuMwx3w
On Sat, 04 Feb 2012 12:13:02 +0900 (JST) Ryusuke Konishi <konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org> wrote:
> On Fri, 3 Feb 2012 10:26:07 -0500, Xi Wang wrote:
> > nsegs is read from userspace. Limit its value and avoid overflowing
> > nsegs * sizeof(__u64) in the subsequent call to memdup_user().
> >
> > This patch complements 481fe17e973fb97aa3edf17c69557afe88d8334f.
> >
> > Signed-off-by: Xi Wang <xi.wang-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > Cc: Haogang Chen <haogangchen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
> > ---
> > fs/nilfs2/ioctl.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
>
> Acked-by: Ryusuke Konishi <konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg@public.gmane.org>
>
>
> Thank you for posting this fix.
>
> Andrew, could you send this uptream in this cycle ?
I sure can.
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-02-04 4:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-03 15:26 [PATCH] nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() Xi Wang
2012-02-03 15:26 ` Xi Wang
2012-02-04 3:13 ` Ryusuke Konishi
2012-02-04 3:13 ` Ryusuke Konishi
2012-02-04 4:36 ` Andrew Morton
2012-02-04 4:36 ` Andrew Morton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.