From owner-svn-src-stable@freebsd.org Mon Aug 12 17:25:33 2019 Return-Path: Delivered-To: svn-src-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A0FD6BA2B8; Mon, 12 Aug 2019 17:25:33 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 466jRK3kmtz4c8P; Mon, 12 Aug 2019 17:25:33 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 365A51F37; Mon, 12 Aug 2019 17:25:33 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7CHPWuG009692; Mon, 12 Aug 2019 17:25:32 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7CHPWmD009691; Mon, 12 Aug 2019 17:25:32 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201908121725.x7CHPWmD009691@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 12 Aug 2019 17:25:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r350903 - stable/12/sys/fs/nandfs X-SVN-Group: stable-12 X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: stable/12/sys/fs/nandfs X-SVN-Commit-Revision: 350903 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Aug 2019 17:25:33 -0000 Author: emaste Date: Mon Aug 12 17:25:32 2019 New Revision: 350903 URL: https://svnweb.freebsd.org/changeset/base/350903 Log: nandfs: avoid integer overflow in nandfs_get_dat_bdescs_ioctl nandfs was removed in head in r349352 and in any case was not built by default, but address the potential integer overflow in case someone does enable it and manages to avoid a panic from other nandfs issues. admbugs: 815 Reported by: Ilja Van Sprundel Reviewed by: imp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D21232 Modified: stable/12/sys/fs/nandfs/nandfs_dat.c Modified: stable/12/sys/fs/nandfs/nandfs_dat.c ============================================================================== --- stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:18:20 2019 (r350902) +++ stable/12/sys/fs/nandfs/nandfs_dat.c Mon Aug 12 17:25:32 2019 (r350903) @@ -298,6 +298,9 @@ nandfs_get_dat_bdescs_ioctl(struct nandfs_device *nffs size_t size; int error; + if (nargv->nv_nmembs >= SIZE_MAX / sizeof(struct nandfs_bdesc)) + return (EINVAL); + size = nargv->nv_nmembs * sizeof(struct nandfs_bdesc); bd = malloc(size, M_NANDFSTEMP, M_WAITOK); error = copyin((void *)(uintptr_t)nargv->nv_base, bd, size);