In ll_ioctl_fiemap(), a user-supplied value is used to calculate a
length of a buffer which is later allocated with user data.
Commit from upstream kernel
7bc3dfa37ba6f6ea81c362eb1993bd20c0828eae
Change-Id: Ia1d255f9570fe1b136f1b0dd7caabe26b7b36665
Signed-off-by: Vitaly Osipov <vitaly.osipov@gmail.com>
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11413
Tested-by: Jenkins
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: James Simmons <uja.ornl@gmail.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
}
#endif
+#ifndef SIZE_MAX
+#define SIZE_MAX (~(size_t)0)
+#endif
+
#endif /* _COMPAT25_H */
if (get_user(extent_count,
&((struct ll_user_fiemap __user *)arg)->fm_extent_count))
RETURN(-EFAULT);
+
+ if (extent_count >=
+ (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+ RETURN(-EINVAL);
num_bytes = sizeof(*fiemap_s) + (extent_count *
sizeof(struct ll_fiemap_extent));