| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com> Date: Wed, 9 Oct 2024 23:05:41 +0800 From: Edward Adam Davis <eadavis@...com> To: syzbot+81092778aac03460d6b7@...kaller.appspotmail.com Cc: jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, linux-kernel@...r.kernel.org, mark@...heh.com, ocfs2-devel@...ts.linux.dev, syzkaller-bugs@...glegroups.com Subject: [PATCH] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for offset and len in ocfs2_fallocate, if they are greater than UINT_MAX return -EFBIG. Reported-and-tested-by: syzbot+81092778aac03460d6b7@...kaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7 Signed-off-by: Edward Adam Davis <eadavis@...com> --- fs/ocfs2/file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index ad131a2fc58e..ed26ec8ac6b6 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -2117,6 +2117,9 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, return ret; } + if (offset > UINT_MAX || offset + len > UINT_MAX) + return -EFBIG; + if (mode & FALLOC_FL_PUNCH_HOLE) cmd = OCFS2_IOC_UNRESVSP64; -- 2.43.0
Powered by blists - more mailing lists