From: Sahitya Tummala <stummala@codeaurora.org>
Date: Tue, 17 Sep 2019 04:49:23 +0000 (+0530)
Subject: f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()
X-Git-Tag: v5.15~5457^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fbbf779989d2ef9a51daaa4e53c0b2ecc8c55c4e;p=platform%2Fkernel%2Flinux-starfive.git

f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

end = range.start + range.len;

If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.

This issue is reported in ioctl fuzz testing.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index aea82f2..e4b78fb 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
 		return -EROFS;
 
 	end = range.start + range.len;
-	if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+	if (end < range.start || range.start < MAIN_BLKADDR(sbi) ||
+					end >= MAX_BLKADDR(sbi))
 		return -EINVAL;
-	}
 
 	ret = mnt_want_write_file(filp);
 	if (ret)