[PATCH] mm: shmem: avoid overflowing in shmem_fallocate

Sasha Levin Wed, 03 Dec 2014 16:25:09 -0800

"offset + len" has the potential of overflowing. Validate this user input
first to avoid undefined behaviour.


Signed-off-by: Sasha Levin <sasha.le...@oracle.com>
---
 mm/shmem.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/shmem.c b/mm/shmem.c
index 185836b..5a0e344 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, 
loff_t offset,
        }
 
        /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
+       error = -EOVERFLOW;
+       if ((u64)len + offset < (u64)len)
+               goto out;
        error = inode_newsize_ok(inode, offset + len);
        if (error)
                goto out;
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] mm: shmem: avoid overflowing in shmem_fallocate

Reply via email to