From: Nicolas Pitre <nicolas.pitre@linaro.org>
Date: Tue, 30 Oct 2018 17:26:15 +0000 (-0400)
Subject: Cramfs: fix abad comparison when wrap-arounds occur
X-Git-Tag: v4.14.81~33
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=fdd780d0a26070e59fe2c3690a776aad25227756;p=users%2Fjedix%2Flinux-maple.git

Cramfs: fix abad comparison when wrap-arounds occur

commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.

It is possible for corrupted filesystem images to produce very large
block offsets that may wrap when a length is added, and wrongly pass
the buffer size test.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 7919967488cbd..011c6f53dcda3 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -186,7 +186,8 @@ static void *cramfs_read(struct super_block *sb, unsigned int offset, unsigned i
 			continue;
 		blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_SHIFT;
 		blk_offset += offset;
-		if (blk_offset + len > BUFFER_SIZE)
+		if (blk_offset > BUFFER_SIZE ||
+		    blk_offset + len > BUFFER_SIZE)
 			continue;
 		return read_buffers[i] + blk_offset;
 	}