Skip to content

Commit bc0a2f3

Browse files
ea1davisakpm00
authored andcommitted
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than ocfs2_max_inline_data_with_xattr, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for byte_start and byte_len right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater than ocfs2_max_inline_data_with_xattr return -EINVAL. Link: https://lkml.kernel.org/r/[email protected] Fixes: 1afc32b ("ocfs2: Write support for inline data") Signed-off-by: Edward Adam Davis <[email protected]> Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7 Reviewed-by: Joseph Qi <[email protected]> Cc: Joel Becker <[email protected]> Cc: Joseph Qi <[email protected]> Cc: Mark Fasheh <[email protected]> Cc: Junxiao Bi <[email protected]> Cc: Changwei Ge <[email protected]> Cc: Gang He <[email protected]> Cc: Jun Piao <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
1 parent d949d1d commit bc0a2f3

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

fs/ocfs2/file.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1787,6 +1787,14 @@ int ocfs2_remove_inode_range(struct inode *inode,
17871787
return 0;
17881788

17891789
if (OCFS2_I(inode)->ip_dyn_features & OCFS2_INLINE_DATA_FL) {
1790+
int id_count = ocfs2_max_inline_data_with_xattr(inode->i_sb, di);
1791+
1792+
if (byte_start > id_count || byte_start + byte_len > id_count) {
1793+
ret = -EINVAL;
1794+
mlog_errno(ret);
1795+
goto out;
1796+
}
1797+
17901798
ret = ocfs2_truncate_inline(inode, di_bh, byte_start,
17911799
byte_start + byte_len, 0);
17921800
if (ret) {

0 commit comments

Comments
 (0)