Commit 62aeb944 authored Mar 01, 2023 by Jan Kara

ext2: Check block size validity during mount



Check that log of block size stored in the superblock has sensible
value. Otherwise the shift computing the block size can overflow leading
to undefined behavior.

Reported-by:  <syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

parent e9cd1d9a

fs/ext2/ext2.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -180,6 +180,7 @@ static inline struct ext2_sb_info EXT2_SB(struct super_block sb)
		#define EXT2_MIN_BLOCK_SIZE 1024
		#define EXT2_MAX_BLOCK_SIZE 65536
		#define EXT2_MIN_BLOCK_LOG_SIZE 10
		#define EXT2_MAX_BLOCK_LOG_SIZE 16
		#define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize)
		#define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32))
		#define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits)

fs/ext2/super.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -945,6 +945,13 @@ static int ext2_fill_super(struct super_block sb, void data, int silent)
		goto failed_mount;
		}

		if (le32_to_cpu(es->s_log_block_size) >
		(EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) {
		ext2_msg(sb, KERN_ERR,
		"Invalid log block size: %u",
		le32_to_cpu(es->s_log_block_size));
		goto failed_mount;
		}
		blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size);

		if (test_opt(sb, DAX)) {