* [PATCH] block: fix integer overflow in blk_ioctl_discard()
@ 2020-03-13 19:43 Changming Liu
0 siblings, 0 replies; only message in thread
From: Changming Liu @ 2020-03-13 19:43 UTC (permalink / raw)
To: axboe; +Cc: linux-block, Changming Liu
The the sum of two uint64_t integers, start and len, might overflow. This leads to bypassing the check in "start + len > i_size_read(bdev->bd_inode)", and passed to truncate_inode_pages_range() as the 3rd parameter.
To fix this, also in accord with the patch 22dd6d356628bccb1a83e12212ec2934f4444e2c, the sum of these 2 integers are stored in another variable, and compared with start to make sure it will not overflow. Otherwise return -EINVAL properly.
Signed-off-by: Changming Liu <liu.changm@northeastern.edu>
---
block/ioctl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/block/ioctl.c b/block/ioctl.c
index 127194b..4347d1f 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -207,7 +207,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
unsigned long arg, unsigned long flags)
{
uint64_t range[2];
- uint64_t start, len;
+ uint64_t start, len, end;
struct request_queue *q = bdev_get_queue(bdev);
struct address_space *mapping = bdev->bd_inode->i_mapping;
@@ -223,14 +223,17 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
start = range[0];
len = range[1];
+ end = start + len - 1;
if (start & 511)
return -EINVAL;
if (len & 511)
return -EINVAL;
-
- if (start + len > i_size_read(bdev->bd_inode))
+ if (end >= (uint64_t)i_size_read(bdev->bd_inode))
return -EINVAL;
+ if(end < start)
+ return -EINVAL;
+
truncate_inode_pages_range(mapping, start, start + len - 1);
return blkdev_issue_discard(bdev, start >> 9, len >> 9,
GFP_KERNEL, flags);
--
2.7.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-13 19:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-13 19:43 [PATCH] block: fix integer overflow in blk_ioctl_discard() Changming Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).