[PATCH] block: fix integer overflow in blk_ioctl_discard()

[PATCH] block: fix integer overflow in blk_ioctl_discard()

[Changming Liu]

The the sum of two uint64_t integers, start and len, might overflow. This leads to bypassing the check in "start + len > i_size_read(bdev->bd_inode)", and passed to truncate_inode_pages_range() as the 3rd parameter.

To fix this, also in accord with the patch 22dd6d356628bccb1a83e12212ec2934f4444e2c, the sum of these 2 integers are stored in another variable, and compared with start to make sure it will not overflow. Otherwise return -EINVAL properly.

Signed-off-by: Changming Liu <liu.changm@northeastern.edu>
---
 block/ioctl.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/block/ioctl.c b/block/ioctl.c
index 127194b..4347d1f 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -207,7 +207,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
 		unsigned long arg, unsigned long flags)
 {
 	uint64_t range[2];
-	uint64_t start, len;
+	uint64_t start, len, end;
 	struct request_queue *q = bdev_get_queue(bdev);
 	struct address_space *mapping = bdev->bd_inode->i_mapping;
 
@@ -223,14 +223,17 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
 
 	start = range[0];
 	len = range[1];
+  end = start + len - 1;
 
 	if (start & 511)
 		return -EINVAL;
 	if (len & 511)
 		return -EINVAL;
-
-	if (start + len > i_size_read(bdev->bd_inode))
+	if (end >= (uint64_t)i_size_read(bdev->bd_inode))
 		return -EINVAL;
+  if(end < start)
+    return -EINVAL;
+
 	truncate_inode_pages_range(mapping, start, start + len - 1);
 	return blkdev_issue_discard(bdev, start >> 9, len >> 9,
 				    GFP_KERNEL, flags);
-- 
2.7.4