From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from www262.sakura.ne.jp ([202.181.97.72]:21231 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754913AbeFNN20 (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 14 Jun 2018 09:28:26 -0400
Subject: Re: [PATCH] bfs: add sanity check at bfs_fill_super().
To: Tigran Aivazian <aivazian.tigran@gmail.com>,
        Dmitry Vyukov <dvyukov@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        syzbot <syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
References: <1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp>
 <20180509160658.c37bef542a8ee5245a13917b@linux-foundation.org>
 <201805092346.w49NkINl045657@www262.sakura.ne.jp>
 <20180509165321.3b2b1313fde0f007c1a5a015@linux-foundation.org>
 <9ef86114-02d6-b243-203d-fbbdab95a6fa@I-love.SAKURA.ne.jp>
 <CAK+_RLko_OCepN4FCmsaQPAKkt9JNGe8pNRK7SO-onhw5zCneA@mail.gmail.com>
 <CACT4Y+aFF4qCDT70Um-CR17bZc3UzL=hJYJsR0BmSvdPw7w_KQ@mail.gmail.com>
 <CAK+_RL=mNYahSkoMcaxcdyKGT=NX672fmAeb1=evfBZx1iqoAw@mail.gmail.com>
 <CACT4Y+Zmgjzwj8pgTRB2YD6HjcGHz8cCQn2OjcscHKLYUo8XcQ@mail.gmail.com>
 <CAK+_RLmxrdtxSxL-iVUfAgRAuSdC7hVV6QUZYxU5PDQUL-4nDg@mail.gmail.com>
From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Message-ID: <f8e7cc6b-78d0-a03d-3d6e-3fe685a7feea@i-love.sakura.ne.jp>
Date: Thu, 14 Jun 2018 22:28:11 +0900
MIME-Version: 1.0
In-Reply-To: <CAK+_RLmxrdtxSxL-iVUfAgRAuSdC7hVV6QUZYxU5PDQUL-4nDg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On 2018/06/14 22:05, Tigran Aivazian wrote:
> On 14 June 2018 at 13:38, Dmitry Vyukov <dvyukov@google.com> wrote:
>> Consider, currently we can have a bfs image that works fine on one
>> kernel, but fails to mount on another just because it happens so that
>> one could allocate 4MB with kmalloc, but another can't (different
>> allocator/different settings/different kernel revision).
> 
> Yes, but this would only happen _without_ the validation proposed by
> Tetsuo Handa. If we check s_start then the invalid enormous allocation
> request will not be made and what you describe won't not happen.
> 

What is possible largest value for imap_len ?

  info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1;
  imap_len = (info->si_lasti / 8) + 1;
  info->si_imap = kzalloc(imap_len, GFP_KERNEL);

Since sizeof(struct bfs_inode) is 64 and bfs_sb->s_start is unsigned 32bits integer
(where constraints is BFS_BSIZE <= bfs_sb->s_start <= bfs_sb->s_end), theoretically
it is possible to assign bfs_sb->s_start > 2GB (apart from whether such value makes
sense). Then, isn't it possible that imap_len > 4M and still hit KMALLOC_MAX_SIZE limit?