From: Kees Cook <kees@kernel.org>
To: Samuel Moelius <sam.moelius@trailofbits.com>
Cc: "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
Bae Yeonju <iwasbaeyz@gmail.com>,
Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] adfs: reject disc records smaller than one filesystem block
Date: Wed, 10 Jun 2026 13:24:38 -0700 [thread overview]
Message-ID: <202606101323.0DFB06B054@keescook> (raw)
In-Reply-To: <20260605183738.2489977-1-sam.moelius@trailofbits.com>
On Fri, Jun 05, 2026 at 06:37:34PM +0000, Samuel Moelius wrote:
> ADFS uses the on-disk disc size to report statfs block counts. The disc
> record validator checks the sector size, id length, high disc-size bits,
> map zone count, and reserved bytes, but it accepts a declared disc size
> smaller than one filesystem block.
>
> A crafted one-zone image with log2secsize 9 and disc_size 1 can pass map
> checksum validation and mount. A subsequent statfs then reports zero
> f_blocks from adfs_map_statfs(), and adfs_statfs() divides by that zero
> while deriving f_ffree.
>
> Reject disc records whose declared disc size is smaller than one
> filesystem block.
Can you create a tools/testing/selftests/ script that will generate a
good and bad image and attempt to mount both, validating the filesystem
checking logic you're adding here?
-Kees
>
> Assisted-by: Codex:gpt-5.5-cyber-preview
> Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
> ---
> fs/adfs/super.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/adfs/super.c b/fs/adfs/super.c
> index a4cd0a5159dd..cb8f3919e3bb 100644
> --- a/fs/adfs/super.c
> +++ b/fs/adfs/super.c
> @@ -73,6 +73,10 @@ static int adfs_checkdiscrecord(struct adfs_discrecord *dr)
> if (le32_to_cpu(dr->disc_size_high) >> dr->log2secsize)
> return 1;
>
> + /* disc size must contain at least one filesystem block */
> + if (adfs_disc_size(dr) < (1ULL << dr->log2secsize))
> + return 1;
> +
> /*
> * Maximum idlen is limited to 16 bits for new directories by
> * the three-byte storage of an indirect disc address. For
> --
> 2.43.0
>
--
Kees Cook
next prev parent reply other threads:[~2026-06-10 20:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 18:37 [PATCH] adfs: reject disc records smaller than one filesystem block Samuel Moelius
2026-06-10 20:24 ` Kees Cook [this message]
2026-06-28 22:01 ` [PATCH v2 0/2] " Samuel Moelius
2026-06-28 22:01 ` [PATCH v2 1/2] " Samuel Moelius
2026-06-28 23:16 ` Russell King
2026-06-28 22:01 ` [PATCH v2 2/2] selftests: filesystems: add ADFS mount validation test Samuel Moelius
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202606101323.0DFB06B054@keescook \
--to=kees@kernel.org \
--cc=brauner@kernel.org \
--cc=iwasbaeyz@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=sam.moelius@trailofbits.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox