eCryptfs: Infinite loop due to overflow in ecryptfs_write()

commit 684a3ff upstream. ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [[email protected]: rewrite subject and commit message] Signed-off-by: Li Wang <[email protected]> Signed-off-by: Yunchuan Wen <[email protected]> Reviewed-by: Cong Wang <[email protected]> Signed-off-by: Tyler Hicks <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
adimgong · Apr 3, 2012 · ae748c0 · ae748c0
1 parent 4a29213
commit ae748c0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
@@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
 		pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
 		size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
 		size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
-		size_t total_remaining_bytes = ((offset + size) - pos);
+		loff_t total_remaining_bytes = ((offset + size) - pos);
 
 		if (fatal_signal_pending(current)) {
 			rc = -EINTR;
@@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
 			num_bytes = total_remaining_bytes;
 		if (pos < offset) {
 			/* remaining zeros to write, up to destination offset */
-			size_t total_remaining_zeros = (offset - pos);
+			loff_t total_remaining_zeros = (offset - pos);
 
 			if (num_bytes > total_remaining_zeros)
 				num_bytes = total_remaining_zeros;