From: Jamie Hill-Daniel jamie@hill-daniel.co.uk
commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream.
The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an unsigned type so a large value of "size" results in a high positive value instead of a negative value as expected. Fix this by getting rid of the subtraction.
Signed-off-by: Jamie Hill-Daniel jamie@hill-daniel.co.uk Signed-off-by: William Liu willsroot@protonmail.com Tested-by: Salvatore Bonaccorso carnil@debian.org Tested-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Acked-by: Dan Carpenter dan.carpenter@oracle.com Acked-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/fs_context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -585,7 +585,7 @@ static int legacy_parse_param(struct fs_ param->key); }
- if (len > PAGE_SIZE - 2 - size) + if (size + len + 2 > PAGE_SIZE) return invalf(fc, "VFS: Legacy: Cumulative options too large"); if (strchr(param->key, ',') || (param->type == fs_value_is_string &&