tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
ext2: Verify bitmap and itable block numbers before using them
Verify bitmap block numbers and inode table blocks are sane before using
them for checking bits in the block bitmap.
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
+9
-2
+9
-2
fs/ext2/balloc.c
+9
-2
fs/ext2/balloc.c
···
77
77
ext2_grpblk_t next_zero_bit;
78
78
ext2_fsblk_t bitmap_blk;
79
79
ext2_fsblk_t group_first_block;
80
+
ext2_grpblk_t max_bit;
80
81
81
82
group_first_block = ext2_group_first_block_no(sb, block_group);
83
+
max_bit = ext2_group_last_block_no(sb, block_group) - group_first_block;
82
84
83
85
/* check whether block bitmap block number is set */
84
86
bitmap_blk = le32_to_cpu(desc->bg_block_bitmap);
85
87
offset = bitmap_blk - group_first_block;
86
-
if (!ext2_test_bit(offset, bh->b_data))
88
+
if (offset < 0 || offset > max_bit ||
89
+
!ext2_test_bit(offset, bh->b_data))
87
90
/* bad block bitmap */
88
91
goto err_out;
89
92
90
93
/* check whether the inode bitmap block number is set */
91
94
bitmap_blk = le32_to_cpu(desc->bg_inode_bitmap);
92
95
offset = bitmap_blk - group_first_block;
93
-
if (!ext2_test_bit(offset, bh->b_data))
96
+
if (offset < 0 || offset > max_bit ||
97
+
!ext2_test_bit(offset, bh->b_data))
94
98
/* bad block bitmap */
95
99
goto err_out;
96
100
97
101
/* check whether the inode table block number is set */
98
102
bitmap_blk = le32_to_cpu(desc->bg_inode_table);
99
103
offset = bitmap_blk - group_first_block;
104
+
if (offset < 0 || offset > max_bit ||
105
+
offset + EXT2_SB(sb)->s_itb_per_group - 1 > max_bit)
106
+
goto err_out;
100
107
next_zero_bit = ext2_find_next_zero_bit(bh->b_data,
101
108
offset + EXT2_SB(sb)->s_itb_per_group,
102
109
offset);