zonefs: handle integer overflow in zonefs_fname_to_fno

[ Upstream commit 3a8389d42bdf4213730f4067f8bfa78bae6564ef ]

In zonefs the file name in one of the two directories corresponds to the
zone number.

Here Alexey reported a possible integer overflow in zonefs_fname_to_fno(),
where the parsing of the zone number from the file name can overflow the
'long' data type.

Add a check for integer overflows and if the fno 'long' did overflow
return -ENOENT.

Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Fixes: d207794ababe ("zonefs: Dynamically create file inodes when needed")
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/zonefs/super.c b/fs/zonefs/super.c
index faf1eb87895d0e0d4fde2fc65ce6d3dfb80bbca3..72408d8f9345c11ff40d306e61b8b3959164a364 100644 (file)
--- a/fs/zonefs/super.c
+++ b/fs/zonefs/super.c
@@ -610,10 +610,14 @@ static long zonefs_fname_to_fno(const struct qstr *fname)
                return c - '0';
 
        for (i = 0, rname = name + len - 1; i < len; i++, rname--) {
+               long digit;
+
                c = *rname;
                if (!isdigit(c))
                        return -ENOENT;
-               fno += (c - '0') * shift;
+               digit = (c - '0') * shift;
+               if (check_add_overflow(fno, digit, &fno))
+                       return -ENOENT;
                shift *= 10;
        }