fs/btrfs: Integer overflow in btrfs_ioctl_resize()

The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: Josef Bacik <jbacik@fb.com> Signed-off-by: Chris Mason <clm@fb.com>

fs/btrfs: Integer overflow in btrfs_ioctl_resize()
The local variable 'new_size' comes from userspace. If a large number was passed, there would be an integer overflow in the following line: new_size = old_size + new_size; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: Josef Bacik <jbacik@fb.com> Signed-off-by: Chris Mason <clm@fb.com>
eb8052e0 · Wenliang Fan · Chris Mason · c9ea7b24 · eb8052e0
Commit eb8052e0 authored Dec 20, 2013 by Wenliang Fan Committed by Chris Mason Jan 28, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

fs/btrfs/ioctl.c fs/btrfs/ioctl.c +4 -0

No files found.
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
 		}
 		new_size = old_size - new_size;
 	} else if (mod > 0) {
+		if (new_size > ULLONG_MAX - old_size) {
+			ret = -EINVAL;
+			goto out_free;
+		}
 		new_size = old_size + new_size;
 	}