From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 484ADCCA473 for ; Fri, 3 Jun 2022 17:52:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345413AbiFCRwd (ORCPT ); Fri, 3 Jun 2022 13:52:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345844AbiFCRu3 (ORCPT ); Fri, 3 Jun 2022 13:50:29 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5345B59320; Fri, 3 Jun 2022 10:46:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9E6AD60A24; Fri, 3 Jun 2022 17:46:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83E8DC385B8; Fri, 3 Jun 2022 17:46:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654278386; bh=ckAXMjdtX0ur87WUhgGjR/BsA7WVjQYxbNCalliwZs8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UAtTWNbyZBv//mlVQJbgoqVRxRNv4/0SdOP29eHkssr4j0rfw8Qi7s2dMDWqaKuAA Z0ickdhdI+syb9Bi839L1BKTv0HqmTZ3Pstj39o/mSL4VCsC1nMJyZBf0r87xN4jdF 0d9y1uiOMvoFA5WObEapsrDk/259EmrLKrRp37pM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Darrick J. Wong" , Christoph Hellwig , Amir Goldstein Subject: [PATCH 5.10 16/53] xfs: detect overflows in bmbt records Date: Fri, 3 Jun 2022 19:43:01 +0200 Message-Id: <20220603173819.194392585@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220603173818.716010877@linuxfoundation.org> References: <20220603173818.716010877@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: "Darrick J. Wong" commit acf104c2331c1ba2a667e65dd36139d1555b1432 upstream. Detect file block mappings with a blockcount that's either so large that integer overflows occur or are zero, because neither are valid in the filesystem. Worse yet, attempting directory modifications causes the iext code to trip over the bmbt key handling and takes the filesystem down. We can fix most of this by preventing the bad metadata from entering the incore structures in the first place. Found by setting blockcount=0 in a directory data fork mapping and watching the fireworks. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Amir Goldstein Signed-off-by: Greg Kroah-Hartman --- fs/xfs/libxfs/xfs_bmap.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/xfs/libxfs/xfs_bmap.c +++ b/fs/xfs/libxfs/xfs_bmap.c @@ -6229,6 +6229,11 @@ xfs_bmap_validate_extent( xfs_fsblock_t endfsb; bool isrt; + if (irec->br_startblock + irec->br_blockcount <= irec->br_startblock) + return __this_address; + if (irec->br_startoff + irec->br_blockcount <= irec->br_startoff) + return __this_address; + isrt = XFS_IS_REALTIME_INODE(ip); endfsb = irec->br_startblock + irec->br_blockcount - 1; if (isrt && whichfork == XFS_DATA_FORK) {