bcachefs: chardev: fix an integer overflow (32 bit only)

On 32 bit systems, "sizeof(*arg) + replica_entries_bytes" can have an integer overflow leading to memory corruption. Use size_add() to prevent this. Fixes: b44dd3797034 ("bcachefs: Redo filesystem usage ioctls") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: chardev: fix an integer overflow (32 bit only)
On 32 bit systems, "sizeof(*arg) + replica_entries_bytes" can have an integer overflow leading to memory corruption. Use size_add() to prevent this. Fixes: b44dd3797034 ("bcachefs: Redo filesystem usage ioctls") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
4ba985b8 · Dan Carpenter · Kent Overstreet · 301e0237 · 4ba985b8
Commit 4ba985b8 authored Sep 14, 2023 by Dan Carpenter Committed by Kent Overstreet Oct 22, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

fs/bcachefs/chardev.c fs/bcachefs/chardev.c +1 -1

No files found.
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -421,7 +421,7 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c,
 	if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes))
 		return -EFAULT;

-	arg = kzalloc(sizeof(*arg) + replica_entries_bytes, GFP_KERNEL);
+	arg = kzalloc(size_add(sizeof(*arg), replica_entries_bytes), GFP_KERNEL);
 	if (!arg)
 		return -ENOMEM;