From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: darrick.wong@oracle.com
Cc: linux-xfs@vger.kernel.org, bfoster@redhat.com
Subject: [PATCH 2/4] xfs: fix maxicount division by zero error
Date: Mon, 26 Aug 2019 14:48:56 -0700 [thread overview]
Message-ID: <156685613618.2853532.3571584792178437139.stgit@magnolia> (raw)
In-Reply-To: <156685612356.2853532.10960947509015722027.stgit@magnolia>
From: Darrick J. Wong <darrick.wong@oracle.com>
In xfs_ialloc_setup_geometry, it's possible for a malicious/corrupt fs
image to set an unreasonably large value for sb_inopblog which will
cause ialloc_blks to be zero. If sb_imax_pct is also set, this results
in a division by zero error in the second do_div call. Therefore, force
maxicount to zero if ialloc_blks is zero.
Note that the kernel metadata verifiers will catch the garbage inopblog
value and abort the fs mount long before it tries to set up the inode
geometry; this is needed to avoid a crash in xfs_db while setting up the
xfs_mount structure.
Found by fuzzing sb_inopblog to 122 in xfs/350.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
fs/xfs/libxfs/xfs_ialloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index 04377ab75863..aa190a502326 100644
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -2788,7 +2788,7 @@ xfs_ialloc_setup_geometry(
inodes);
/* Set the maximum inode count for this filesystem. */
- if (sbp->sb_imax_pct) {
+ if (sbp->sb_imax_pct && igeo->ialloc_blks) {
/*
* Make sure the maximum inode count is a multiple
* of the units we allocate inodes in.
next prev parent reply other threads:[~2019-08-26 21:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-26 21:48 [PATCH 0/4] xfs: fixes for 5.4 Darrick J. Wong
2019-08-26 21:48 ` [PATCH 1/4] xfs: bmap scrub should only scrub records once Darrick J. Wong
2019-08-26 23:08 ` Dave Chinner
2019-08-27 13:14 ` Brian Foster
2019-08-27 15:18 ` Darrick J. Wong
2019-08-27 15:21 ` Brian Foster
2019-08-28 16:01 ` Darrick J. Wong
2019-08-26 21:48 ` Darrick J. Wong [this message]
2019-08-26 23:09 ` [PATCH 2/4] xfs: fix maxicount division by zero error Dave Chinner
2019-08-26 21:49 ` [PATCH 3/4] xfs: don't return _QUERY_ABORT from xfs_rmap_has_other_keys Darrick J. Wong
2019-08-26 23:15 ` Dave Chinner
2019-08-26 21:49 ` [PATCH 4/4] xfs: fix sign handling problem in xfs_bmbt_diff_two_keys Darrick J. Wong
2019-08-26 23:15 ` Dave Chinner
2019-08-27 13:01 ` Eric Sandeen
2019-08-27 15:19 ` Darrick J. Wong
2019-08-27 15:20 ` Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=156685613618.2853532.3571584792178437139.stgit@magnolia \
--to=darrick.wong@oracle.com \
--cc=bfoster@redhat.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).