From: Lukasz Jagiello <lukasz@wikia-inc.com>
Date: Sat, 18 Aug 2018 15:32:21 +0000 (-0700)
Subject: lseek - integer overflow
X-Git-Tag: lxc-3.1.0~151^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8737e2a8a56f2dc4c8f35ccc413d59b5c78c3a30;p=thirdparty%2Flxc.git

lseek - integer overflow

The issue was introduced in PR (https://github.com/lxc/lxc/pull/1705):

Previous code:
```
  if (lseek(fd, size, SEEK_SET) < 0) {
    SYSERROR("Error seeking to set new loop file size");
    close(fd);
    return -1;
  }
```
New code:
```
  int fd, ret;

  [...]

  ret = lseek(fd, size, SEEK_SET);
  if (ret < 0) {
    SYSERROR("Failed to seek to set new loop file size for loop "
       "file \"%s\"", path);
    close(fd);
    return -1;
  }
```

Based on http://man7.org/linux/man-pages/man2/lseek.2.html:
> Upon successful completion, lseek() returns the resulting offset
> location as measured in bytes from the beginning of the file.

So in this case value of `size` and `size` is `uint64_t`.

This fix change declaration of `ret`, but it can be fixed in other ways.
Let me know what works for you.

This PR fix issues (https://github.com/lxc/lxc/issues/1872).

Signed-off-by: Lukasz Jagiello <lukasz@wikia-inc.com>
---

diff --git a/src/lxc/storage/loop.c b/src/lxc/storage/loop.c
index c4d393452..fa5386548 100644
--- a/src/lxc/storage/loop.c
+++ b/src/lxc/storage/loop.c
@@ -297,6 +297,7 @@ int loop_umount(struct lxc_storage *bdev)
 static int do_loop_create(const char *path, uint64_t size, const char *fstype)
 {
 	int fd, ret;
+	off_t ret_size;
 	char cmd_output[MAXPATHLEN];
 	const char *cmd_args[2] = {fstype, path};
 
@@ -307,8 +308,8 @@ static int do_loop_create(const char *path, uint64_t size, const char *fstype)
 		return -1;
 	}
 
-	ret = lseek(fd, size, SEEK_SET);
-	if (ret < 0) {
+	ret_size = lseek(fd, size, SEEK_SET);
+	if (ret_size < 0) {
 		SYSERROR("Failed to seek to set new loop file size for loop "
 			 "file \"%s\"", path);
 		close(fd);