Patch "ext4: reject inodes with negative size" has been added to the 4.8-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "ext4: reject inodes with negative size" has been added to the 4.8-stable tree
@ 2017-01-04 10:06 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-01-04 10:06 UTC (permalink / raw)
  To: darrick.wong, gregkh, tytso; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    ext4: reject inodes with negative size

to the 4.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ext4-reject-inodes-with-negative-size.patch
and it can be found in the queue-4.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Sat, 10 Dec 2016 09:55:01 -0500
Subject: ext4: reject inodes with negative size

From: Darrick J. Wong <darrick.wong@oracle.com>

commit 7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58 upstream.

Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.

[ Added EXT4_ERROR_INODE() to mark file system as corrupted. -TYT]

Fixes: a48380f769df (ext4: rename i_dir_acl to i_size_high)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inode.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4438,6 +4438,7 @@ struct inode *ext4_iget(struct super_blo
 	struct inode *inode;
 	journal_t *journal = EXT4_SB(sb)->s_journal;
 	long ret;
+	loff_t size;
 	int block;
 	uid_t i_uid;
 	gid_t i_gid;
@@ -4538,6 +4539,11 @@ struct inode *ext4_iget(struct super_blo
 		ei->i_file_acl |=
 			((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
 	inode->i_size = ext4_isize(raw_inode);
+	if ((size = i_size_read(inode)) < 0) {
+		EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
+		ret = -EFSCORRUPTED;
+		goto bad_inode;
+	}
 	ei->i_disksize = inode->i_size;
 #ifdef CONFIG_QUOTA
 	ei->i_reserved_quota = 0;


Patches currently in stable-queue which might be from darrick.wong@oracle.com are

queue-4.8/ext4-reject-inodes-with-negative-size.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-01-04 10:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-04 10:06 Patch "ext4: reject inodes with negative size" has been added to the 4.8-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).