* [PATCH] block: fix a unsigned integer overflow which could bypass check
@ 2020-11-27 1:29 Changming
0 siblings, 0 replies; only message in thread
From: Changming @ 2020-11-27 1:29 UTC (permalink / raw)
To: axboe; +Cc: linux-block, yaohway, liu.changm, Changming Liu
From: Changming Liu <charley.ashbringer@gmail.com>
start, and len are 64 unsigned integers and
purely from user-space, thus star + len can
wrap-around and bypass the check at
start + len > i_size_read(bdev->bd_inode)
This overflowed value can cause trouble
after passed in truncate_bdev_range.
To fix this, a wrap-around check is added just
like in blk_ioctl_zeroout, so that such the
overflowed value can be rejected.
Signed-off-by: Changming Liu <charley.ashbringer@gmail.com>
---
block/ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/block/ioctl.c b/block/ioctl.c
index 3fbc382eb926..3fddb1fe5b35 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -133,6 +133,8 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode,
if (start + len > i_size_read(bdev->bd_inode))
return -EINVAL;
+ if (start + len < start)
+ return -EINVAL;
err = truncate_bdev_range(bdev, mode, start, start + len - 1);
if (err)
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-27 1:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-27 1:29 [PATCH] block: fix a unsigned integer overflow which could bypass check Changming
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.