Commit eb8052e0 authored Dec 20, 2013 by Wenliang Fan Committed by Chris Mason Jan 28, 2014

fs/btrfs: Integer overflow in btrfs_ioctl_resize()



The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
	new_size = old_size + new_size;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Chris Mason <clm@fb.com>

parent c9ea7b24

fs/btrfs/ioctl.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
		}
		new_size = old_size - new_size;
		} else if (mod > 0) {
		if (new_size > ULLONG_MAX - old_size) {
		ret = -EINVAL;
		goto out_free;
		}
		new_size = old_size + new_size;
		}