On 01/10/2013 04:57 PM, Dan Carpenter wrote: > The closing parenthesis is in the wrong place. We want to check > "sizeof(*arg->clone_sources) * arg->clone_sources_count" instead of > "sizeof(*arg->clone_sources * arg->clone_sources_count)". > > Signed-off-by: Dan Carpenter <[email protected]> > --- > This is also vulnerable to integer overflows. It's only done under > root, but these days we are trying to restrict what root can do without > configuring Secure Boot in UEFI. > > diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c > index 5445454..4be3832 100644 > --- a/fs/btrfs/send.c > +++ b/fs/btrfs/send.c > @@ -4553,8 +4553,8 @@ long btrfs_ioctl_send(struct file *mnt_file, void > __user *arg_) > } > > if (!access_ok(VERIFY_READ, arg->clone_sources, > - sizeof(*arg->clone_sources * > - arg->clone_sources_count))) { > + sizeof(*arg->clone_sources) * > + arg->clone_sources_count)) { > ret = -EFAULT; > goto out; > } Reviewed-by: Jie Liu <[email protected]>
Thanks, -Jeff > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
