[PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation

[PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation

[Fabian Frederick]

This patch defines maximum block number to 2^31.
It also converts bitmap_size and array_size to
unsigned int in omfs_get_imap

Suggested-By: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-By: Bob Copeland <me@bobcopeland.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bob Copeland <me@bobcopeland.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Fabian Frederick <fabf@skynet.be>
---
This is untested.

V2: 
   use 1ul<<31 instead of 1<<31 to avoid comparing to negative value
   (suggested by Linus Torvalds).

 fs/omfs/inode.c   | 10 +++++++---
 fs/omfs/omfs_fs.h |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index ba88197..138321b 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -306,9 +306,7 @@ static const struct super_operations omfs_sops = {
  */
 static int omfs_get_imap(struct super_block *sb)
 {
-	int bitmap_size;
-	int array_size;
-	int count;
+	unsigned int bitmap_size, count, array_size;
 	struct omfs_sb_info *sbi = OMFS_SB(sb);
 	struct buffer_head *bh;
 	unsigned long **ptr;
@@ -473,6 +471,12 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent)
 	sbi->s_sys_blocksize = be32_to_cpu(omfs_sb->s_sys_blocksize);
 	mutex_init(&sbi->s_bitmap_lock);
 
+	if (sbi->s_num_blocks > OMFS_MAX_BLOCKS) {
+		printk(KERN_ERR "omfs: sysblock number (%llx) is out of range\n",
+		       (unsigned long long)sbi->s_num_blocks);
+		goto out_brelse_bh;
+	}
+
 	if (sbi->s_sys_blocksize > PAGE_SIZE) {
 		printk(KERN_ERR "omfs: sysblock size (%d) is out of range\n",
 			sbi->s_sys_blocksize);
diff --git a/fs/omfs/omfs_fs.h b/fs/omfs/omfs_fs.h
index ee5e432..83a9833 100644
--- a/fs/omfs/omfs_fs.h
+++ b/fs/omfs/omfs_fs.h
@@ -18,6 +18,7 @@
 #define OMFS_XOR_COUNT 19
 #define OMFS_MAX_BLOCK_SIZE 8192
 #define OMFS_MAX_CLUSTER_SIZE 8
+#define OMFS_MAX_BLOCKS (1ul << 31)
 
 struct omfs_super_block {
 	char s_fill1[256];
-- 
1.9.3

Re: [PATCH V2 resend] FS/OMFS: block number sanity check during fill_super operation

[Bob Copeland]

On Mon, Sep 29, 2014 at 07:07:08PM +0200, Fabian Frederick wrote:
> This patch defines maximum block number to 2^31.
> It also converts bitmap_size and array_size to
> unsigned int in omfs_get_imap
> 
> Suggested-By: Linus Torvalds <torvalds@linux-foundation.org>
> Suggested-By: Bob Copeland <me@bobcopeland.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Bob Copeland <me@bobcopeland.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Fabian Frederick <fabf@skynet.be>
> ---
> This is untested.

Acked-by: Bob Copeland <me@bobcopeland.com>

I also gave it a quick test.  For just plain corruption of s_num_blocks,
there's a later check that one would normally hit since the number is
stored in a second place, and we compare them.  But if both
omfs_rb->r_num_blocks and sbi->s_num_blocks are the same insane number, I
agree we should give up here.

-- 
Bob Copeland %% www.bobcopeland.com