Commit 4ba985b8 authored by Dan Carpenter's avatar Dan Carpenter Committed by Kent Overstreet

bcachefs: chardev: fix an integer overflow (32 bit only)

On 32 bit systems, "sizeof(*arg) + replica_entries_bytes" can have an
integer overflow leading to memory corruption.  Use size_add() to
prevent this.

Fixes: b44dd3797034 ("bcachefs: Redo filesystem usage ioctls")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent 301e0237
...@@ -421,7 +421,7 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c, ...@@ -421,7 +421,7 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c,
if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes)) if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes))
return -EFAULT; return -EFAULT;
arg = kzalloc(sizeof(*arg) + replica_entries_bytes, GFP_KERNEL); arg = kzalloc(size_add(sizeof(*arg), replica_entries_bytes), GFP_KERNEL);
if (!arg) if (!arg)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment