linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fsdevel@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Qiujun Huang <hqjagain@gmail.com>,
	stable@vger.kernel.org,
	syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com,
	syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com,
	syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
Subject: [PATCH 3/6] fs/minix: reject too-large maximum file size
Date: Sat, 27 Jun 2020 23:08:42 -0700	[thread overview]
Message-ID: <20200628060846.682158-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org>

From: Eric Biggers <ebiggers@google.com>

If the minix filesystem tries to map a very large logical block number
to its on-disk location, block_to_path() can return offsets that are too
large, causing out-of-bounds memory accesses when accessing indirect
index blocks.  This should be prevented by the check against the maximum
file size, but this doesn't work because the maximum file size is read
directly from the on-disk superblock and isn't validated itself.

Fix this by validating the maximum file size at mount time.

Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/inode.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 2bca95abe8f4..0dd929346f3f 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -150,6 +150,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data)
 	return 0;
 }
 
+static bool minix_check_superblock(struct minix_sb_info *sbi)
+{
+	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
+		return false;
+
+	/*
+	 * s_max_size must not exceed the block mapping limitation.  This check
+	 * is only needed for V1 filesystems, since V2/V3 support an extra level
+	 * of indirect blocks which places the limit well above U32_MAX.
+	 */
+	if (sbi->s_version == MINIX_V1 &&
+	    sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE)
+		return false;
+
+	return true;
+}
+
 static int minix_fill_super(struct super_block *s, void *data, int silent)
 {
 	struct buffer_head *bh;
@@ -228,11 +245,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
 	} else
 		goto out_no_fs;
 
+	if (!minix_check_superblock(sbi))
+		goto out_illegal_sb;
+
 	/*
 	 * Allocate the buffer map to keep the superblock small.
 	 */
-	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
-		goto out_illegal_sb;
 	i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh);
 	map = kzalloc(i, GFP_KERNEL);
 	if (!map)
-- 
2.27.0


  parent reply	other threads:[~2020-06-28  6:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
2020-07-07 19:26   ` Andrew Morton
2020-07-07 20:34     ` Eric Biggers
2020-06-28  6:08 ` [PATCH 2/6] fs/minix: don't allow getting deleted inodes Eric Biggers
2020-06-28  6:08 ` Eric Biggers [this message]
2020-06-28  6:08 ` [PATCH 4/6] fs/minix: set s_maxbytes correctly Eric Biggers
2020-06-28  6:08 ` [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems Eric Biggers
2020-06-28  6:08 ` [PATCH 6/6] fs/minix: remove expected error message in block_to_path() Eric Biggers
2020-07-07 17:14 ` [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200628060846.682158-4-ebiggers@kernel.org \
    --to=ebiggers@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=hqjagain@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com \
    --cc=syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com \
    --cc=syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).