zonefs: handle integer overflow in zonefs_fname_to_fno

In zonefs the file name in one of the two directories corresponds to the
zone number.

Here Alexey reported a possible integer overflow in zonefs_fname_to_fno(),
where the parsing of the zone number from the file name can overflow the
'long' data type.

Add a check for integer overflows and if the fno 'long' did overflow
return -ENOENT.

Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Fixes: d207794ababe ("zonefs: Dynamically create file inodes when needed")
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>

diff --git a/fs/zonefs/super.c b/fs/zonefs/super.c
index 9b646cb5335d0643bc0431aa8efc35a90fbcdac5..ff43d6d1ea30ae777369c263d45a124a87a795c6 100644 (file)
--- a/fs/zonefs/super.c
+++ b/fs/zonefs/super.c
@@ -610,10 +610,14 @@ static long zonefs_fname_to_fno(const struct qstr *fname)
                return c - '0';
 
        for (i = 0, rname = name + len - 1; i < len; i++, rname--) {
+               long digit;
+
                c = *rname;
                if (!isdigit(c))
                        return -ENOENT;
-               fno += (c - '0') * shift;
+               digit = (c - '0') * shift;
+               if (check_add_overflow(fno, digit, &fno))
+                       return -ENOENT;
                shift *= 10;
        }