From patchwork Wed Oct 19 08:23:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 4597 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp206345wrs; Wed, 19 Oct 2022 01:52:12 -0700 (PDT) X-Google-Smtp-Source: AMsMyM70uSlKf6zYnidS2L0D69rMR1EoWz2AGqyfz/+ZsO4R0ZQYVK9lGx60YZZ3+7l/iLBCXByP X-Received: by 2002:a17:90b:4a09:b0:20c:316d:e58b with SMTP id kk9-20020a17090b4a0900b0020c316de58bmr44416796pjb.217.1666169531732; Wed, 19 Oct 2022 01:52:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666169531; cv=none; d=google.com; s=arc-20160816; b=pNLjqpW4bp7X5lfga1Dkkuw3dNjFr52fnuYfq3PmJQ191gnacDdynVStUetp/WGcAD L+1U1koK3MmCbjbgsKue+os+Luy31mlqAh+V3UG4S+KOifM43EXLilzTVQR7a51PHORk iMBzHygX5NhUEsAMjjOL8Vu0FIrYHfMCwulEhnGhvpmmajscqB6aEJmYPZnHBErzsLLN oGjbkAibB01i2kiw45bfeLj4kR82fcAR7rxuuGd3vfNTRWnNEQ/JeKUaxCrc9mXF46qb pP7aofo9/dVQgU5HQTrhond3CDeGSN9Tgb0y6GklOqkiQDKz+W81hKYbPaw9SlDjD+2t isbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EMPq0BaR5/lCInmpm45kPQFoSyWLsnFqt0LsOOBtKBQ=; b=SW8ym7FFTf0tz8bxGVOqkcrUtwew9fblwPVebe8JjaWbSj2LHXoIyoo2C2nlrBkvGc u0XiXMgGUYCJR2TzjMrZqVFOXvDsKeNM7AHLTIoSJ4g1iNifyLOEc8XxyO1cgkBnMNvF NmOBuEgqpwdWISFhwGkv2+HWJ1L41u0UVtRLHGTPaE+QKAI2+9SMS6YCGBJ/0spJ49cB BaumXMCWR+fvBGYdcYVKAjviPAhrmGgwJgv/WVrlDtxjHV7S+XN+Mb1bHun5bHUDTAco M//+BtGt5ImA70SuFVgJnjvRLOjOvRkXq5Q33nTZPEJrx7xh9v57gcVEYc+zBrYIh7N2 RdDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=aM6Zfm5T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g13-20020a63520d000000b004609faa2dbesi17280883pgb.285.2022.10.19.01.51.58; Wed, 19 Oct 2022 01:52:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=aM6Zfm5T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231698AbiJSIvc (ORCPT + 99 others); Wed, 19 Oct 2022 04:51:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231781AbiJSItP (ORCPT ); Wed, 19 Oct 2022 04:49:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CD402937B; Wed, 19 Oct 2022 01:47:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 33920B822E7; Wed, 19 Oct 2022 08:43:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C722C433C1; Wed, 19 Oct 2022 08:43:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666169028; bh=I5YDn81jI/EDADv6zzlsMUgkxvYfnlhwaafu72TSR3A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aM6Zfm5TB/Xz7xPYsbQ7V81QFI417R1YTk49FjwJCrX+PtHHkZt4DfsvhcMdQ6Lbx ze70/a/osJXSJ7885yyQDYk65ppcexUpnGbw5HjCTqE4I/FmHTsVSrTbGHfawV/g1c cU57PxeB0d3ke+iecvcx8SJs12oDrAxnQUKPfJY8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , kernel test robot Subject: [PATCH 6.0 134/862] ext2: Add sanity checks for group and filesystem size Date: Wed, 19 Oct 2022 10:23:41 +0200 Message-Id: <20221019083255.893841253@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747105382727548036?= X-GMAIL-MSGID: =?utf-8?q?1747105382727548036?= From: Jan Kara commit d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2 upstream. Add sanity check that filesystem size does not exceed the underlying device size and that group size is big enough so that metadata can fit into it. This avoid trying to mount some crafted filesystems with extremely large group counts. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Reported-by: kernel test robot # Test fixup CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/ext2/super.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -1052,6 +1052,13 @@ static int ext2_fill_super(struct super_ sbi->s_blocks_per_group); goto failed_mount; } + /* At least inode table, bitmaps, and sb have to fit in one group */ + if (sbi->s_blocks_per_group <= sbi->s_itb_per_group + 3) { + ext2_msg(sb, KERN_ERR, + "error: #blocks per group smaller than metadata size: %lu <= %lu", + sbi->s_blocks_per_group, sbi->s_inodes_per_group + 3); + goto failed_mount; + } if (sbi->s_frags_per_group > sb->s_blocksize * 8) { ext2_msg(sb, KERN_ERR, "error: #fragments per group too big: %lu", @@ -1065,9 +1072,14 @@ static int ext2_fill_super(struct super_ sbi->s_inodes_per_group); goto failed_mount; } + if (sb_bdev_nr_blocks(sb) < le32_to_cpu(es->s_blocks_count)) { + ext2_msg(sb, KERN_ERR, + "bad geometry: block count %u exceeds size of device (%u blocks)", + le32_to_cpu(es->s_blocks_count), + (unsigned)sb_bdev_nr_blocks(sb)); + goto failed_mount; + } - if (EXT2_BLOCKS_PER_GROUP(sb) == 0) - goto cantfind_ext2; sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) - le32_to_cpu(es->s_first_data_block) - 1) / EXT2_BLOCKS_PER_GROUP(sb)) + 1;