From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Thu, 14 Sep 2023 14:59:10 +0000 (+0300)
Subject: bcachefs: chardev: fix an integer overflow (32 bit only)
X-Git-Tag: v6.7-rc1~201^2~53
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ba985b84de627ba4f257c9843d0dd7146df2180;p=thirdparty%2Flinux.git

bcachefs: chardev: fix an integer overflow (32 bit only)

On 32 bit systems, "sizeof(*arg) + replica_entries_bytes" can have an
integer overflow leading to memory corruption.  Use size_add() to
prevent this.

Fixes: b44dd3797034 ("bcachefs: Redo filesystem usage ioctls")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index e5e9fddddfb58..51d6712677418 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -421,7 +421,7 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c,
 	if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes))
 		return -EFAULT;
 
-	arg = kzalloc(sizeof(*arg) + replica_entries_bytes, GFP_KERNEL);
+	arg = kzalloc(size_add(sizeof(*arg), replica_entries_bytes), GFP_KERNEL);
 	if (!arg)
 		return -ENOMEM;