From: Wenliang Fan <fanwlexca@gmail.com>
Date: Fri, 20 Dec 2013 07:28:56 +0000 (+0800)
Subject: fs/btrfs: Integer overflow in btrfs_ioctl_resize()
X-Git-Tag: upstream/snapshot3+hdmi~3409^2~82
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=eb8052e015f2c015926db45943f8ee724ace97e5;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

fs/btrfs: Integer overflow in btrfs_ioctl_resize()

The local variable 'new_size' comes from userspace. If a large number
was passed, there would be an integer overflow in the following line:
	new_size = old_size + new_size;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Chris Mason <clm@fb.com>
---

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index edf5f00..ed3edc283 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1474,6 +1474,10 @@ static noinline int btrfs_ioctl_resize(struct file *file,
 		}
 		new_size = old_size - new_size;
 	} else if (mod > 0) {
+		if (new_size > ULLONG_MAX - old_size) {
+			ret = -EINVAL;
+			goto out_free;
+		}
 		new_size = old_size + new_size;
 	}