f2fs: add a condition to detect overflow in f2fs_ioc_gc_range()

end = range.start + range.len;

If the range.start/range.len is a very large value, then end can overflow
in this operation. It results into a crash in get_valid_blocks() when
accessing the invalid range.start segno.

This issue is reported in ioctl fuzz testing.

Signed-off-by: Sahitya Tummala <[email protected]>
Reviewed-by: Chao Yu <[email protected]>
Signed-off-by: Jaegeuk Kim <[email protected]>

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index aea82f2b924024f22405ac8a1b6476d89a854eb4..e4b78fb3fc79be7de9b72b960203ac24a6228bad 100644 (file)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2264,9 +2264,9 @@ static int f2fs_ioc_gc_range(struct file *filp, unsigned long arg)
                return -EROFS;
 
        end = range.start + range.len;
-       if (range.start < MAIN_BLKADDR(sbi) || end >= MAX_BLKADDR(sbi)) {
+       if (end < range.start || range.start < MAIN_BLKADDR(sbi) ||
+                                       end >= MAX_BLKADDR(sbi))
                return -EINVAL;
-       }
 
        ret = mnt_want_write_file(filp);
        if (ret)