From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Thiemo Nagel <thiemo.nagel@ph.tum.de>,
linux-ext4@vger.kernel.org
Subject: [patch 32/36] ext4: Add sanity checks for the superblock before mounting the filesystem
Date: Wed, 18 Feb 2009 14:29:55 -0800 [thread overview]
Message-ID: <20090218222955.GG10668@kroah.com> (raw)
In-Reply-To: <20090218222841.GA10668@kroah.com>
[-- Attachment #1: ext4-add-sanity-checks-for-the-superblock-before-mounting-the-filesystem.patch --]
[-- Type: text/plain, Size: 2744 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: "Theodore Ts'o" <tytso@mit.edu>
(cherry picked from commit 4ec110281379826c5cf6ed14735e47027c3c5765)
This avoids insane superblock configurations that could lead to kernel
oops due to null pointer derefences.
http://bugzilla.kernel.org/show_bug.cgi?id=12371
Thanks to David Maciejak at Fortinet's FortiGuard Global Security
Research Team who discovered this bug independently (but at
approximately the same time) as Thiemo Nagel, who submitted the patch.
Signed-off-by: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/ext4/super.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1916,8 +1916,8 @@ static int ext4_fill_super(struct super_
struct inode *root;
int ret = -EINVAL;
int blocksize;
- int db_count;
- int i;
+ unsigned int db_count;
+ unsigned int i;
int needs_recovery;
__le32 features;
__u64 blocks_count;
@@ -2207,20 +2207,30 @@ static int ext4_fill_super(struct super_
if (EXT4_BLOCKS_PER_GROUP(sb) == 0)
goto cantfind_ext4;
- /* ensure blocks_count calculation below doesn't sign-extend */
- if (ext4_blocks_count(es) + EXT4_BLOCKS_PER_GROUP(sb) <
- le32_to_cpu(es->s_first_data_block) + 1) {
- printk(KERN_WARNING "EXT4-fs: bad geometry: block count %llu, "
- "first data block %u, blocks per group %lu\n",
- ext4_blocks_count(es),
- le32_to_cpu(es->s_first_data_block),
- EXT4_BLOCKS_PER_GROUP(sb));
+ /*
+ * It makes no sense for the first data block to be beyond the end
+ * of the filesystem.
+ */
+ if (le32_to_cpu(es->s_first_data_block) >= ext4_blocks_count(es)) {
+ printk(KERN_WARNING "EXT4-fs: bad geometry: first data"
+ "block %u is beyond end of filesystem (%llu)\n",
+ le32_to_cpu(es->s_first_data_block),
+ ext4_blocks_count(es));
goto failed_mount;
}
blocks_count = (ext4_blocks_count(es) -
le32_to_cpu(es->s_first_data_block) +
EXT4_BLOCKS_PER_GROUP(sb) - 1);
do_div(blocks_count, EXT4_BLOCKS_PER_GROUP(sb));
+ if (blocks_count > ((uint64_t)1<<32) - EXT4_DESC_PER_BLOCK(sb)) {
+ printk(KERN_WARNING "EXT4-fs: groups count too large: %u "
+ "(block count %llu, first data block %u, "
+ "blocks per group %lu)\n", sbi->s_groups_count,
+ ext4_blocks_count(es),
+ le32_to_cpu(es->s_first_data_block),
+ EXT4_BLOCKS_PER_GROUP(sb));
+ goto failed_mount;
+ }
sbi->s_groups_count = blocks_count;
db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
EXT4_DESC_PER_BLOCK(sb);
next prev parent reply other threads:[~2009-02-18 22:32 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090218222447.432108614@mini.kroah.org>
[not found] ` <20090218222841.GA10668@kroah.com>
2009-02-18 22:29 ` [patch 13/36] ext4: Add support for non-native signed/unsigned htree hash algorithms Greg KH
2009-02-18 22:29 ` [patch 14/36] ext4: tone down ext4_da_writepages warnings Greg KH
2009-02-18 22:29 ` [patch 15/36] ext4: Fix the delalloc writepages to allocate blocks at the right offset Greg KH
2009-02-18 22:29 ` [patch 16/36] ext4: avoid ext4_error when mounting a fs with a single bg Greg KH
2009-02-18 22:29 ` [patch 17/36] ext4: Widen type of ext4_sb_info.s_mb_maxs[] Greg KH
2009-02-18 22:29 ` [patch 18/36] jbd2: Add barrier not supported test to journal_wait_on_commit_record Greg KH
2009-02-18 22:29 ` [patch 19/36] ext4: Dont overwrite allocation_context ac_status Greg KH
2009-02-18 22:29 ` [patch 20/36] ext4: Add blocks added during resize to bitmap Greg KH
2009-02-18 22:29 ` [patch 21/36] ext4: Use EXT4_GROUP_INFO_NEED_INIT_BIT during resize Greg KH
2009-02-18 22:29 ` [patch 22/36] ext4: cleanup mballoc header files Greg KH
2009-02-18 22:29 ` [patch 23/36] ext4: Use an rbtree for tracking blocks freed during transaction Greg KH
2009-02-18 22:29 ` [patch 24/36] ext4: dont use blocks freed but not yet committed in buddy cache init Greg KH
2009-02-18 22:29 ` [patch 25/36] ext4: Fix race between read_block_bitmap() and mark_diskspace_used() Greg KH
2009-02-18 22:29 ` [patch 26/36] ext4: Fix the race between read_inode_bitmap() and ext4_new_inode() Greg KH
2009-02-18 22:29 ` [patch 27/36] jbd2: Add BH_JBDPrivateStart Greg KH
2009-02-18 22:29 ` [patch 28/36] ext4: Use new buffer_head flag to check uninit group bitmaps initialization Greg KH
2009-02-18 22:29 ` [patch 29/36] ext4: mark the blocks/inode bitmap beyond end of group as used Greg KH
2009-02-18 22:29 ` [patch 30/36] ext4: Dont allow new groups to be added during block allocation Greg KH
2009-02-18 22:29 ` [patch 31/36] ext4: Init the complete page while building buddy cache Greg KH
2009-02-18 22:29 ` Greg KH [this message]
2009-02-18 22:29 ` [patch 33/36] ext4: only use i_size_high for regular files Greg KH
2009-02-18 22:29 ` [patch 34/36] ext4: Add sanity check to make_indexed_dir Greg KH
2009-02-18 22:30 ` [patch 35/36] jbd2: On a __journal_expect() assertion failure printk "JBD2", not "EXT3-fs" Greg KH
2009-02-18 22:30 ` [patch 36/36] ext4: Initialize the new group descriptor when resizing the filesystem Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090218222955.GG10668@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=thiemo.nagel@ph.tum.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).