diff options
| author | Darrick J. Wong <djwong@kernel.org> | 2022-01-24 15:48:31 -0800 |
|---|---|---|
| committer | Darrick J. Wong <djwong@kernel.org> | 2022-01-27 08:34:13 -0800 |
| commit | 9d49f0ee6f35b8cebe79539a682f7e23b55bc6e8 (patch) | |
| tree | d0e6d00e73f2f91176051ddee7a1ef92a6577719 | |
| parent | 786918a584155a0ff600fc59a72688e5cabfe5d9 (diff) | |
xfs: reject crazy array sizes being fed to XFS_IOC_GETBMAP*getbmap-validation-5.17_2022-01-29
Syzbot tripped over the following complaint from the kernel:
WARNING: CPU: 2 PID: 15402 at mm/util.c:597 kvmalloc_node+0x11e/0x125 mm/util.c:597
While trying to run XFS_IOC_GETBMAP against the following structure:
struct getbmap fubar = {
.bmv_count = 0x22dae649,
};
Obviously, this is a crazy huge value since the next thing that the
ioctl would do is allocate 37GB of memory. This is enough to make
kvmalloc mad, but isn't large enough to trip the validation functions.
In other words, I'm fussing with checks that were **already sufficient**
because that's easier than dealing with 644 internal bug reports. Yes,
that's right, six hundred and forty-four.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
| -rw-r--r-- | fs/xfs/xfs_ioctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index 03a6198c97f6..2515fe8299e1 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1464,7 +1464,7 @@ xfs_ioc_getbmap( if (bmx.bmv_count < 2) return -EINVAL; - if (bmx.bmv_count > ULONG_MAX / recsize) + if (bmx.bmv_count >= INT_MAX / recsize) return -ENOMEM; buf = kvcalloc(bmx.bmv_count, sizeof(*buf), GFP_KERNEL); |