lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Apr 2020 13:08:55 +0530 From: Ritesh Harjani <riteshh@...ux.ibm.com> To: Jan Kara <jack@...e.cz> Cc: tytso@....edu, linux-ext4@...r.kernel.org, adilger@...ger.ca, darrick.wong@...cle.com, hch@...radead.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-xfs@...r.kernel.org, willy@...radead.org, linux-unionfs@...r.kernel.org, syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com Subject: Re: [RFC 1/1] ext4: Fix overflow case for map.m_len in ext4_iomap_begin_* Sorry Jan and others. Please ignore this patch. I will resend a proper one after making sure it is tested via syzbot. On 4/14/20 9:20 PM, Jan Kara wrote: > On Sun 12-04-20 14:54:35, Ritesh Harjani wrote: >> EXT4_MAX_LOGICAL_BLOCK - map.m_lblk + 1 in case when >> map.m_lblk (offset) is 0 could overflow an unsigned int >> and become 0. >> >> Fix this. >> >> Signed-off-by: Ritesh Harjani <riteshh@...ux.ibm.com> >> Reported-by: syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com >> Fixes: d3b6f23f7167 ("ext4: move ext4_fiemap to use iomap framework") > > The patch looks good to me. You can add: > > Reviewed-by: Jan Kara <jack@...e.cz> > > Honza > >> --- >> fs/ext4/inode.c | 12 ++++++++++-- >> 1 file changed, 10 insertions(+), 2 deletions(-) >> >> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c >> index e416096fc081..d630ec7a9c8e 100644 >> --- a/fs/ext4/inode.c >> +++ b/fs/ext4/inode.c >> @@ -3424,6 +3424,7 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length, >> int ret; >> struct ext4_map_blocks map; >> u8 blkbits = inode->i_blkbits; >> + loff_t len; >> >> if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK) >> return -EINVAL; >> @@ -3435,8 +3436,11 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length, >> * Calculate the first and last logical blocks respectively. >> */ >> map.m_lblk = offset >> blkbits; >> - map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits, >> + len = min_t(loff_t, (offset + length - 1) >> blkbits, >> EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1; >> + if (len > EXT4_MAX_LOGICAL_BLOCK) >> + len = EXT4_MAX_LOGICAL_BLOCK; >> + map.m_len = len; >> >> if (flags & IOMAP_WRITE) >> ret = ext4_iomap_alloc(inode, &map, flags); >> @@ -3524,6 +3528,7 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset, >> bool delalloc = false; >> struct ext4_map_blocks map; >> u8 blkbits = inode->i_blkbits; >> + loff_t len >> >> if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK) >> return -EINVAL; >> @@ -3541,8 +3546,11 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset, >> * Calculate the first and last logical block respectively. >> */ >> map.m_lblk = offset >> blkbits; >> - map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits, >> + len = min_t(loff_t, (offset + length - 1) >> blkbits, >> EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1; >> + if (len > EXT4_MAX_LOGICAL_BLOCK) >> + len = EXT4_MAX_LOGICAL_BLOCK; >> + map.m_len = len; >> >> /* >> * Fiemap callers may call for offset beyond s_bitmap_maxbytes. >> -- >> 2.21.0 >>
Powered by blists - more mailing lists