From patchwork Sat Oct 22 07:20:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7242 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1091257wrr; Sat, 22 Oct 2022 00:49:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5eLt/vUk7xyiVqkgdqXWGzjfmYHhfoK76ZjuUb4uePPOg44GslhWL+7WqgWsT7fnIzQXfh X-Received: by 2002:a17:90b:380b:b0:20b:8dd:4f5f with SMTP id mq11-20020a17090b380b00b0020b08dd4f5fmr63375438pjb.158.1666424998544; Sat, 22 Oct 2022 00:49:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666424998; cv=none; d=google.com; s=arc-20160816; b=oalMOjk7+N6XyESUj7L4CQLOzNODPn1/DywRpjK0DOQ2T1ayfrNPGKvQsOfofNW/0/ dgfQVJJjkFrW6Q3LFrGHYDAOvwUNHNP3ramNYye25XJfEyIZkHwHJb5AmGeWkqwzv0tU 49ljlRi7R+hMrZwo7RuhqrLCAsynA2nzbKkgND/mDL9mVf4ecgjRxLJlkuBCFEeQggE3 jJ3YruQp+rhNk18Prc33mLtQtWmEdCyZEg+ECm9B5aWnA6DQCik36iDucvfdyXa1tyUE os4ewN01kMMMJb6lZh1mF01OgTt7FJhN8GNK7NhEZdEa0/0+px4oSlt0hI/9bMK+ooSj nybg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9AfLRHZtRj8pgRqcSvSLqpzbZSJTQsete1aWr5bu5XM=; b=VfvDxETIreegbPseFTMbfB6jWbTGWrpGs21a0r3eIX1DMuiKZNvQkHWdfKHrz0v7dk I74RuS+iIFuK9z0+kell8LwLcYEW1vrKGDx1RnbK9JA3pveELtwtP7UmyeCXokreVpDC UoRx5v5BkIVIExd+AsxjWKt4GRGlVlnG8fE7SniQgxSuxAIb/snLMON1gUPaWVrFWa9U RFkCmG3pkaeDKBd3Z4Ujcyp5PwXSqRgLiMn9o0DO/AVdVLAnZMY2eUHt1bBdgWdXobzU 5q1jhJd92eNdDQoZCMs/7re+Za7t1pRJz6SU+s3l70qbTCH75vuIjJQhW+kBfvToYCIS GjQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wojyhm6z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p2-20020a170902b08200b001747ed48ee8si24256767plr.150.2022.10.22.00.49.45; Sat, 22 Oct 2022 00:49:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wojyhm6z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231663AbiJVHs6 (ORCPT + 99 others); Sat, 22 Oct 2022 03:48:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231362AbiJVHsN (ORCPT ); Sat, 22 Oct 2022 03:48:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 124E1D03A8; Sat, 22 Oct 2022 00:45:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D2C7B60B1A; Sat, 22 Oct 2022 07:39:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E841BC433D6; Sat, 22 Oct 2022 07:39:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666424375; bh=JTa2qbkLTgeScZF6zKMRi8KfrP9jYtmRVYT8mvc0nDY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wojyhm6zr82CzO9sBrvipgtEMiZTSw1rOVFhTC3dBAGYDUhYRZhf7MYqr+oZgXUJG hZWHih0ch3raVnRBPixTvGUznrTi4DUqGE3YdPGnOc+UNng/5QFJiFpHkNDW2MrJwY uQIwrorEkP90nHcXjTQYGbisCqNqU+BJS44K0HIg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , kernel test robot Subject: [PATCH 5.19 122/717] ext2: Add sanity checks for group and filesystem size Date: Sat, 22 Oct 2022 09:20:01 +0200 Message-Id: <20221022072437.081515062@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747373259353596331?= X-GMAIL-MSGID: =?utf-8?q?1747373259353596331?= From: Jan Kara commit d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2 upstream. Add sanity check that filesystem size does not exceed the underlying device size and that group size is big enough so that metadata can fit into it. This avoid trying to mount some crafted filesystems with extremely large group counts. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Reported-by: kernel test robot # Test fixup CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/ext2/super.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -1053,6 +1053,13 @@ static int ext2_fill_super(struct super_ sbi->s_blocks_per_group); goto failed_mount; } + /* At least inode table, bitmaps, and sb have to fit in one group */ + if (sbi->s_blocks_per_group <= sbi->s_itb_per_group + 3) { + ext2_msg(sb, KERN_ERR, + "error: #blocks per group smaller than metadata size: %lu <= %lu", + sbi->s_blocks_per_group, sbi->s_inodes_per_group + 3); + goto failed_mount; + } if (sbi->s_frags_per_group > sb->s_blocksize * 8) { ext2_msg(sb, KERN_ERR, "error: #fragments per group too big: %lu", @@ -1066,9 +1073,14 @@ static int ext2_fill_super(struct super_ sbi->s_inodes_per_group); goto failed_mount; } + if (sb_bdev_nr_blocks(sb) < le32_to_cpu(es->s_blocks_count)) { + ext2_msg(sb, KERN_ERR, + "bad geometry: block count %u exceeds size of device (%u blocks)", + le32_to_cpu(es->s_blocks_count), + (unsigned)sb_bdev_nr_blocks(sb)); + goto failed_mount; + } - if (EXT2_BLOCKS_PER_GROUP(sb) == 0) - goto cantfind_ext2; sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) - le32_to_cpu(es->s_first_data_block) - 1) / EXT2_BLOCKS_PER_GROUP(sb)) + 1;