From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eryu Guan <guaneryu@gmail.com>,
Phil Turnbull <phil.turnbull@oracle.com>,
Vegard Nossum <vegard.nossum@oracle.com>,
Theodore Tso <tytso@mit.edu>
Subject: [PATCH 4.7 36/41] ext4: check for extents that wrap around
Date: Sun, 14 Aug 2016 22:39:02 +0200 [thread overview]
Message-ID: <20160814202533.670554856@linuxfoundation.org> (raw)
In-Reply-To: <20160814202531.818402015@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
An extent with lblock = 4294967295 and len = 1 will pass the
ext4_valid_extent() test:
ext4_lblk_t last = lblock + len - 1;
if (len == 0 || lblock > last)
return 0;
since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
We can simplify it by removing the - 1 altogether and changing the test
to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
lblock and it fails, and if len > 0 then lblock + len > lblock in order
to pass (i.e. it doesn't overflow).
Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
Cc: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -381,9 +381,13 @@ static int ext4_valid_extent(struct inod
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;
- if (len == 0 || lblock > last)
+ /*
+ * We allow neither:
+ * - zero length
+ * - overflow/wrap-around
+ */
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}
next prev parent reply other threads:[~2016-08-14 20:46 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814204653uscas1p136630e2fd59612e56b31ed2096f71df2@uscas1p1.samsung.com>
2016-08-14 20:38 ` [PATCH 4.7 00/41] 4.7.1-stable review Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 01/41] ext4: verify extent header depth Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 02/41] vfs: ioctl: prevent double-fetch in dedupe ioctl Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 03/41] vfs: fix deadlock in file_remove_privs() on overlayfs Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 04/41] udp: use sk_filter_trim_cap for udp{,6}_queue_rcv_skb Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 05/41] net/bonding: Enforce active-backup policy for IPoIB bonds Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 06/41] bridge: Fix incorrect re-injection of LLDP packets Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 07/41] net: ipv6: Always leave anycast and multicast groups on link down Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 08/41] sctp: fix BH handling on socket backlog Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 09/41] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 10/41] net/sctp: terminate rhashtable walk correctly Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 11/41] qed: Fix setting/clearing bit in completion bitmap Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 12/41] macsec: ensure rx_sa is set when validation is disabled Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 13/41] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 14/41] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 15/41] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 16/41] IB/hfi1: Disable by default Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 17/41] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 18/41] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 19/41] mm: memcontrol: fix swap counter leak on swapout from offline cgroup Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 20/41] mm: memcontrol: fix memcg id ref counter on swap charge move Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 21/41] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 22/41] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 23/41] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 24/41] radix-tree: account nodes to memcg only if explicitly requested Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 25/41] x86/microcode: Fix suspend to RAM with builtin microcode Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 26/41] x86/power/64: Fix hibernation return address corruption Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 27/41] fuse: fsync() did not return IO errors Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 28/41] fuse: fuse_flush must check mapping->flags for errors Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 29/41] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 30/41] Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 31/41] fs/dcache.c: avoid soft-lockup in dput() Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 32/41] Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 33/41] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 34/41] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 35/41] serial: mvebu-uart: free the IRQ in ->shutdown() Greg Kroah-Hartman
2016-08-14 20:39 ` Greg Kroah-Hartman [this message]
2016-08-14 20:39 ` [PATCH 4.7 37/41] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 38/41] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 39/41] ext4: validate s_reserved_gdt_blocks on mount Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 40/41] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 41/41] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
[not found] ` <57b11e62.eeb8c20a.9231a.76ad@mx.google.com>
2016-08-15 7:56 ` [PATCH 4.7 00/41] 4.7.1-stable review Greg Kroah-Hartman
2016-08-15 21:31 ` Kevin Hilman
2016-08-15 13:03 ` Guenter Roeck
2016-08-15 13:46 ` Greg Kroah-Hartman
2016-08-16 4:03 ` Shuah Khan
2016-08-16 10:48 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160814202533.670554856@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=guaneryu@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=phil.turnbull@oracle.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox