Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb8052e0 authored by Wenliang Fan's avatar Wenliang Fan Committed by Chris Mason
Browse files

fs/btrfs: Integer overflow in btrfs_ioctl_resize()



The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
	new_size = old_size + new_size;

Signed-off-by: default avatarWenliang Fan <fanwlexca@gmail.com>
Signed-off-by: default avatarJosef Bacik <jbacik@fb.com>
Signed-off-by: default avatarChris Mason <clm@fb.com>
parent c9ea7b24
Loading
Loading
Loading
Loading
+4 −0
Original line number Diff line number Diff line
@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
		}
		new_size = old_size - new_size;
	} else if (mod > 0) {
		if (new_size > ULLONG_MAX - old_size) {
			ret = -EINVAL;
			goto out_free;
		}
		new_size = old_size + new_size;
	}