[PATCH] ext4: reject inodes with negative size

[PATCH] ext4: reject inodes with negative size

[Darrick J. Wong]

Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 fs/ext4/inode.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 9c06472..b1108a9 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4534,6 +4534,10 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
 		ei->i_file_acl |=
 			((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
 	inode->i_size = ext4_isize(raw_inode);
+	if (i_size_read(inode) < 0) {
+		ret = -EFSCORRUPTED;
+		goto bad_inode;
+	}
 	ei->i_disksize = inode->i_size;
 #ifdef CONFIG_QUOTA
 	ei->i_reserved_quota = 0;

Re: [PATCH] ext4: reject inodes with negative size

[Theodore Ts'o]

On Tue, Dec 06, 2016 at 03:57:40PM -0800, Darrick J. Wong wrote:
> Don't load an inode with a negative size; this causes integer overflow
> problems in the VFS.
> 
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

Thanks, applied.  I added a call to EXT4_ERROR_INODE() so the file
system would be marked corrupted.

				- Ted