From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AB0BCA9EA0 for ; Wed, 23 Oct 2019 01:31:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E17DF2086D for ; Wed, 23 Oct 2019 01:31:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732972AbfJWBbW (ORCPT ); Tue, 22 Oct 2019 21:31:22 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:56271 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730047AbfJWBbW (ORCPT ); Tue, 22 Oct 2019 21:31:22 -0400 Received: from callcc.thunk.org (pool-72-93-95-157.bstnma.fios.verizon.net [72.93.95.157]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x9N1VHwh025989 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Oct 2019 21:31:18 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 6E0D8420456; Tue, 22 Oct 2019 21:31:17 -0400 (EDT) From: "Theodore Ts'o" To: Ext4 Developers List Cc: "Theodore Ts'o" , stable@kernel.org Subject: [PATCH] ext4: fix signed vs unsigned comparison in ext4_valid_extent() Date: Tue, 22 Oct 2019 21:31:12 -0400 Message-Id: <20191023013112.18809-1-tytso@mit.edu> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Due to a signed vs unsigned comparison, an invalid extent where ee_block (the logical block) is so large that lblk + len overflow wasn't getting flagged as invalid. As a result, we tripped the BUG_ON(end < lblk) in ext4_es_cache_extent() when trying to mount a file system with a corrupted journal inode was corrupted. https://bugzilla.kernel.org/show_bug.cgi?id=205197 Signed-off-by: Theodore Ts'o Cc: stable@kernel.org --- fs/ext4/extents.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index fb0f99dc8c22..d12bc287abdc 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -367,7 +367,7 @@ ext4_ext_max_entries(struct inode *inode, int depth) static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext) { ext4_fsblk_t block = ext4_ext_pblock(ext); - int len = ext4_ext_get_actual_len(ext); + unsigned int len = ext4_ext_get_actual_len(ext); ext4_lblk_t lblock = le32_to_cpu(ext->ee_block); /* -- 2.23.0