f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

end = range.start + range.len; If the range.start/range.len is a very large value, then end can overflow in this operation. It results into a crash in get_valid_blocks() when accessing the invalid range.start segno. This issue is reported in ioctl fuzz testing. Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Reviewed-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()
end = range.start + range.len; If the range.start/range.len is a very large value, then end can overflow in this operation. It results into a crash in get_valid_blocks() when accessing the invalid range.start segno. This issue is reported in ioctl fuzz testing. Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Reviewed-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
fbbf7799 · Sahitya Tummala · Jaegeuk Kim · 8223ecc4 · fbbf7799
Commit fbbf7799 authored Sep 17, 2019 by Sahitya Tummala Committed by Jaegeuk Kim Sep 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

fs/f2fs/file.c fs/f2fs/file.c +2 -2

No files found.
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
 		return -EROFS;

 	end = range.start + range.len;
-	if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+	if (end < range.start || range.start < MAIN_BLKADDR(sbi) ||
+					end >= MAX_BLKADDR(sbi))
 		return -EINVAL;
-	}

 	ret = mnt_want_write_file(filp);
 	if (ret)