From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>,
jack@suse.com, linux-ext4@vger.kernel.org
Subject: [PATCH AUTOSEL 6.2 07/53] ext2: Check block size validity during mount
Date: Thu, 4 May 2023 15:43:27 -0400 [thread overview]
Message-ID: <20230504194413.3806354-7-sashal@kernel.org> (raw)
In-Reply-To: <20230504194413.3806354-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 62aeb94433fcec80241754b70d0d1836d5926b0a ]
Check that log of block size stored in the superblock has sensible
value. Otherwise the shift computing the block size can overflow leading
to undefined behavior.
Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext2/ext2.h | 1 +
fs/ext2/super.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/fs/ext2/ext2.h b/fs/ext2/ext2.h
index 28de11a22e5f6..dc5dcb78bc27f 100644
--- a/fs/ext2/ext2.h
+++ b/fs/ext2/ext2.h
@@ -180,6 +180,7 @@ static inline struct ext2_sb_info *EXT2_SB(struct super_block *sb)
#define EXT2_MIN_BLOCK_SIZE 1024
#define EXT2_MAX_BLOCK_SIZE 4096
#define EXT2_MIN_BLOCK_LOG_SIZE 10
+#define EXT2_MAX_BLOCK_LOG_SIZE 16
#define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize)
#define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32))
#define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits)
diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index 69c88facfe90e..f342f347a695f 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -945,6 +945,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
goto failed_mount;
}
+ if (le32_to_cpu(es->s_log_block_size) >
+ (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) {
+ ext2_msg(sb, KERN_ERR,
+ "Invalid log block size: %u",
+ le32_to_cpu(es->s_log_block_size));
+ goto failed_mount;
+ }
blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size);
if (test_opt(sb, DAX)) {
--
2.39.2
next prev parent reply other threads:[~2023-05-04 20:08 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:43 [PATCH AUTOSEL 6.2 01/53] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 02/53] bpf: Annotate data races in bpf_local_storage Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 03/53] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 04/53] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 05/53] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 06/53] bpf, mips: Implement DADDI workarounds for JIT Sasha Levin
2023-05-04 19:43 ` Sasha Levin [this message]
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 08/53] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 09/53] scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 10/53] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 11/53] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 12/53] bnxt: avoid overflow in bnxt_get_nvram_directory() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 13/53] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 14/53] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 15/53] netdev: Enforce index cap in netdev_get_tx_queue Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 16/53] scsi: target: iscsit: Free cmds before session free Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 17/53] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 18/53] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 19/53] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:43 ` [Cluster-devel] " Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 20/53] scsi: ufs: ufs-pci: Add support for Intel Lunar Lake Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 21/53] scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 22/53] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 23/53] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 24/53] crypto: jitter - permanent and intermittent health errors Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 25/53] f2fs: Fix system crash due to lack of free space in LFS Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 26/53] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 27/53] f2fs: fix to check readonly condition correctly Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 28/53] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 29/53] bpf: Add preempt_count_{sub,add} into btf id deny list Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 30/53] md: fix soft lockup in status_resync Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 31/53] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 32/53] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 33/53] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 34/53] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 35/53] block, bfq: Fix division by zero error on zero wsum Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 37/53] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 38/53] null_blk: Always check queue mode setting from configfs Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 39/53] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 40/53] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:44 ` Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 41/53] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 42/53] nbd: fix incomplete validation of ioctl arg Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 43/53] ipvs: Update width of source for ip_vs_sync_conn_options Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 44/53] Bluetooth: btusb: Add new PID/VID 04ca:3801 for MT7663 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 45/53] Bluetooth: Add new quirk for broken local ext features page 2 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 46/53] Bluetooth: btrtl: add support for the RTL8723CS Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 47/53] Bluetooth: Improve support for Actions Semi ATS2851 based devices Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 48/53] Bluetooth: btrtl: check for NULL in btrtl_set_quirks() Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 49/53] Bluetooth: btintel: Add LE States quirk support Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 50/53] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 51/53] Bluetooth: Add new quirk for broken set random RPA timeout for ATS2851 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 52/53] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 53/53] Bluetooth: btrtl: Add the support for RTL8851B Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504194413.3806354-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.com \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.