tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ext2: Check block size validity during mount

Check that log of block size stored in the superblock has sensible
value. Otherwise the shift computing the block size can overflow leading
to undefined behavior.

Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

Jan Kara 62aeb944 e9cd1d9a

+8
+1
fs/ext2/ext2.h
··· 180 180 #define EXT2_MIN_BLOCK_SIZE 1024 181 181 #define EXT2_MAX_BLOCK_SIZE 65536 182 182 #define EXT2_MIN_BLOCK_LOG_SIZE 10 183 + #define EXT2_MAX_BLOCK_LOG_SIZE 16 183 184 #define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize) 184 185 #define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32)) 185 186 #define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits)
+7
fs/ext2/super.c
··· 945 945 goto failed_mount; 946 946 } 947 947 948 + if (le32_to_cpu(es->s_log_block_size) > 949 + (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) { 950 + ext2_msg(sb, KERN_ERR, 951 + "Invalid log block size: %u", 952 + le32_to_cpu(es->s_log_block_size)); 953 + goto failed_mount; 954 + } 948 955 blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); 949 956 950 957 if (test_opt(sb, DAX)) {