Commit 0fa945de authored Sep 17, 2019 by Sahitya Tummala Committed by Jaegeuk Kim Sep 23, 2019

f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()



end = range.start + range.len;

If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.

This issue is reported in ioctl fuzz testing.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

parent 570feb72

fs/f2fs/file.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2318,9 +2318,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
		return -EROFS;

		end = range.start + range.len;
		if (range.start < MAIN_BLKADDR(sbi) \|\| end >= MAX_BLKADDR(sbi)) {
		if (end < range.start \|\| range.start < MAIN_BLKADDR(sbi) \|\|
		end >= MAX_BLKADDR(sbi))
		return -EINVAL;
		}

		ret = mnt_want_write_file(filp);
		if (ret)