From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anant Thazhemadam Date: Wed, 14 Oct 2020 22:01:09 +0530 Subject: [Cluster-devel] [PATCH v2] fs: gfs2: add validation checks for size of superblock Message-ID: <20201014163109.98739-1-anant.thazhemadam@gmail.com> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In gfs2_check_sb(), no validation checks are performed with regards to the size of the superblock. syzkaller detected a slab-out-of-bounds bug that was primarily caused because the block size for a superblock was set to zero. A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. Performing validation checks and ensuring that the size of the superblock is valid fixes this bug. Reported-by: syzbot+af90d47a37376844e731 at syzkaller.appspotmail.com Tested-by: syzbot+af90d47a37376844e731 at syzkaller.appspotmail.com Suggested-by: Andrew Price Signed-off-by: Anant Thazhemadam --- Changes in v2: * Completely dropped the changes proposed in v1. Instead, validity checks for superblock size have been introduced. (Suggested by Andrew Price) * Addded a "Suggested-by" tag accrediting the patch idea to Andrew. If there's any issue with that, please let me know. * Changed the commit header and commit message appropriately. * Updated "Reported-by" and "Tested-by" tags to the same instance of the bug that was detected earlier (non consequential change). fs/gfs2/ops_fstype.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 6d18d2c91add..f0605fae2c4c 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) return -EINVAL; } + /* Check if the size of the block is valid - a power of 2 between 512 and PAGE_SIZE */ + if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize & (sb->sb_bsize - 1))) { + if (!silent) + pr_warn("Invalid superblock size\n"); + return -EINVAL; + } + /* If format numbers match exactly, we're done. */ if (sb->sb_fs_format == GFS2_FORMAT_FS && -- 2.25.1