Both "offset" and "len" are signed integers who's addition may overflow and trigger undefined behaviour.
Signed-off-by: Sasha Levin <[email protected]> --- fs/open.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index 813be03..33d5cae 100644 --- a/fs/open.c +++ b/fs/open.c @@ -287,7 +287,8 @@ int vfs_fallocate(struct file *file, int mode, loff_t offset, loff_t len) return -ENODEV; /* Check for wrap through zero too */ - if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) + if (check_add_overflow(offset, len) || + (offset + len) > inode->i_sb->s_maxbytes) return -EFBIG; if (!file->f_op->fallocate) -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
