LU-4423 llite: Integer overflow in ll_ioctl_fiemap

In ll_ioctl_fiemap(), a user-supplied value is used to calculate a
length of a buffer which is later allocated with user data.

Commit from upstream kernel 7bc3dfa37ba6f6ea81c362eb1993bd20c0828eae

Change-Id: Ia1d255f9570fe1b136f1b0dd7caabe26b7b36665
Signed-off-by: Vitaly Osipov <vitaly.osipov@gmail.com>
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/11413
Tested-by: Jenkins
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: James Simmons <uja.ornl@gmail.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>

diff --git a/lustre/include/linux/lustre_compat25.h b/lustre/include/linux/lustre_compat25.h
index 4ec8e55..5bebf47 100644 (file)
--- a/lustre/include/linux/lustre_compat25.h
+++ b/lustre/include/linux/lustre_compat25.h
@@ -361,4 +361,8 @@ static inline int radix_tree_exceptional_entry(void *arg)
 }
 #endif
 
+#ifndef SIZE_MAX
+#define SIZE_MAX       (~(size_t)0)
+#endif
+
 #endif /* _COMPAT25_H */

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index adf68ef..b29a9c6 100644 (file)
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -1949,6 +1949,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg)
         if (get_user(extent_count,
             &((struct ll_user_fiemap __user *)arg)->fm_extent_count))
                 RETURN(-EFAULT);
+
+       if (extent_count >=
+           (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+               RETURN(-EINVAL);
         num_bytes = sizeof(*fiemap_s) + (extent_count *
                                          sizeof(struct ll_fiemap_extent));