On 12/03/2014 08:51 PM, Naoya Horiguchi wrote: > On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote: >> > "offset + len" has the potential of overflowing. Validate this user input >> > first to avoid undefined behaviour. >> > >> > Signed-off-by: Sasha Levin <sasha.le...@oracle.com> >> > --- >> > mm/shmem.c | 3 +++ >> > 1 file changed, 3 insertions(+) >> > >> > diff --git a/mm/shmem.c b/mm/shmem.c >> > index 185836b..5a0e344 100644 >> > --- a/mm/shmem.c >> > +++ b/mm/shmem.c >> > @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int >> > mode, loff_t offset, >> > } >> > >> > /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ >> > + error = -EOVERFLOW; >> > + if ((u64)len + offset < (u64)len) >> > + goto out; > Hi Sasha, > > It seems to me that we already do some overflow check in common path, > do_fallocate(): > > /* Check for wrap through zero too */ > if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < > 0)) > return -EFBIG; > > Do we really need another check?
It looks like we actually need to fix this snippet you pasted rather than shmem_fallocate(). We can't check for ((offset + len) < 0) since both offset and length are signed integers. I'll send a patch to deal with that rather that this shmem specific one. Thanks! Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
