Commit 3a8389d4 authored Apr 29, 2026 by Johannes Thumshirn Committed by Damien Le Moal May 12, 2026

zonefs: handle integer overflow in zonefs_fname_to_fno



In zonefs the file name in one of the two directories corresponds to the
zone number.

Here Alexey reported a possible integer overflow in zonefs_fname_to_fno(),
where the parsing of the zone number from the file name can overflow the
'long' data type.

Add a check for integer overflows and if the fno 'long' did overflow
return -ENOENT.

Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Fixes: d207794a ("zonefs: Dynamically create file inodes when needed")
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>

parent 5d691905

fs/zonefs/super.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -610,10 +610,14 @@ static long zonefs_fname_to_fno(const struct qstr *fname)
		return c - '0';

		for (i = 0, rname = name + len - 1; i < len; i++, rname--) {
		long digit;

		c = *rname;
		if (!isdigit(c))
		return -ENOENT;
		fno += (c - '0') * shift;
		digit = (c - '0') * shift;
		if (check_add_overflow(fno, digit, &fno))
		return -ENOENT;
		shift *= 10;
		}