nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() nsegs is read from userspace. Limit its value and avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()"). Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: Haogang Chen <haogangchen@gmail.com> Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 1ecd3c7ea76488c63b4b0a2561fd7eaf96cc8028 [log] [tgz]
author: Xi Wang <xi.wang@gmail.com> Wed Feb 08 17:13:37 2012 -0800
committer: Linus Torvalds <torvalds@linux-foundation.org> Wed Feb 08 19:03:51 2012 -0800
tree: 3bc88fd0b4fd61c86141c66e86cf5492753bcd22
parent: 98e96852480566333f6dacd3223f0be15df34d60 [diff] [blame]
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 8866496..2a70fce 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c

@@ -603,6 +603,8 @@
 	nsegs = argv[4].v_nmembs;
 	if (argv[4].v_size != argsz[4])
 		goto out;
+	if (nsegs > UINT_MAX / sizeof(__u64))
+		goto out;
 
 	/*
 	 * argv[4] points to segment numbers this ioctl cleans.  We
commit	1ecd3c7ea76488c63b4b0a2561fd7eaf96cc8028	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Wed Feb 08 17:13:37 2012 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	Wed Feb 08 19:03:51 2012 -0800
tree	3bc88fd0b4fd61c86141c66e86cf5492753bcd22
parent	98e96852480566333f6dacd3223f0be15df34d60 [diff] [blame]