* [PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation
@ 2014-09-29 17:07 Fabian Frederick
2014-09-29 19:38 ` Bob Copeland
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Frederick @ 2014-09-29 17:07 UTC (permalink / raw)
To: linux-kernel
Cc: linux-karma-devel, Fabian Frederick, Linus Torvalds,
Bob Copeland, Andrew Morton
This patch defines maximum block number to 2^31.
It also converts bitmap_size and array_size to
unsigned int in omfs_get_imap
Suggested-By: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-By: Bob Copeland <me@bobcopeland.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bob Copeland <me@bobcopeland.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
---
This is untested.
V2:
use 1ul<<31 instead of 1<<31 to avoid comparing to negative value
(suggested by Linus Torvalds).
fs/omfs/inode.c | 10 +++++++---
fs/omfs/omfs_fs.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index ba88197..138321b 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -306,9 +306,7 @@ static const struct super_operations omfs_sops = {
*/
static int omfs_get_imap(struct super_block *sb)
{
- int bitmap_size;
- int array_size;
- int count;
+ unsigned int bitmap_size, count, array_size;
struct omfs_sb_info *sbi = OMFS_SB(sb);
struct buffer_head *bh;
unsigned long **ptr;
@@ -473,6 +471,12 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent)
sbi->s_sys_blocksize = be32_to_cpu(omfs_sb->s_sys_blocksize);
mutex_init(&sbi->s_bitmap_lock);
+ if (sbi->s_num_blocks > OMFS_MAX_BLOCKS) {
+ printk(KERN_ERR "omfs: sysblock number (%llx) is out of range\n",
+ (unsigned long long)sbi->s_num_blocks);
+ goto out_brelse_bh;
+ }
+
if (sbi->s_sys_blocksize > PAGE_SIZE) {
printk(KERN_ERR "omfs: sysblock size (%d) is out of range\n",
sbi->s_sys_blocksize);
diff --git a/fs/omfs/omfs_fs.h b/fs/omfs/omfs_fs.h
index ee5e432..83a9833 100644
--- a/fs/omfs/omfs_fs.h
+++ b/fs/omfs/omfs_fs.h
@@ -18,6 +18,7 @@
#define OMFS_XOR_COUNT 19
#define OMFS_MAX_BLOCK_SIZE 8192
#define OMFS_MAX_CLUSTER_SIZE 8
+#define OMFS_MAX_BLOCKS (1ul << 31)
struct omfs_super_block {
char s_fill1[256];
--
1.9.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation
2014-09-29 17:07 [PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation Fabian Frederick
@ 2014-09-29 19:38 ` Bob Copeland
0 siblings, 0 replies; 2+ messages in thread
From: Bob Copeland @ 2014-09-29 19:38 UTC (permalink / raw)
To: Fabian Frederick
Cc: linux-kernel, linux-karma-devel, Linus Torvalds, Andrew Morton
On Mon, Sep 29, 2014 at 07:07:08PM +0200, Fabian Frederick wrote:
> This patch defines maximum block number to 2^31.
> It also converts bitmap_size and array_size to
> unsigned int in omfs_get_imap
>
> Suggested-By: Linus Torvalds <torvalds@linux-foundation.org>
> Suggested-By: Bob Copeland <me@bobcopeland.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Bob Copeland <me@bobcopeland.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Fabian Frederick <fabf@skynet.be>
> ---
> This is untested.
Acked-by: Bob Copeland <me@bobcopeland.com>
I also gave it a quick test. For just plain corruption of s_num_blocks,
there's a later check that one would normally hit since the number is
stored in a second place, and we compare them. But if both
omfs_rb->r_num_blocks and sbi->s_num_blocks are the same insane number, I
agree we should give up here.
--
Bob Copeland %% www.bobcopeland.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-09-29 19:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-29 17:07 [PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation Fabian Frederick
2014-09-29 19:38 ` Bob Copeland
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.