| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200416073901.8A1E3A405F@b06wcsmtp001.portsmouth.uk.ibm.com>
Date: Thu, 16 Apr 2020 13:08:55 +0530
From: Ritesh Harjani <riteshh@...ux.ibm.com>
To: Jan Kara <jack@...e.cz>
Cc: tytso@....edu, linux-ext4@...r.kernel.org, adilger@...ger.ca,
darrick.wong@...cle.com, hch@...radead.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-xfs@...r.kernel.org, willy@...radead.org,
linux-unionfs@...r.kernel.org,
syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com
Subject: Re: [RFC 1/1] ext4: Fix overflow case for map.m_len in
ext4_iomap_begin_*
Sorry Jan and others. Please ignore this patch.
I will resend a proper one after making sure it is tested via syzbot.
On 4/14/20 9:20 PM, Jan Kara wrote:
> On Sun 12-04-20 14:54:35, Ritesh Harjani wrote:
>> EXT4_MAX_LOGICAL_BLOCK - map.m_lblk + 1 in case when
>> map.m_lblk (offset) is 0 could overflow an unsigned int
>> and become 0.
>>
>> Fix this.
>>
>> Signed-off-by: Ritesh Harjani <riteshh@...ux.ibm.com>
>> Reported-by: syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com
>> Fixes: d3b6f23f7167 ("ext4: move ext4_fiemap to use iomap framework")
>
> The patch looks good to me. You can add:
>
> Reviewed-by: Jan Kara <jack@...e.cz>
>
> Honza
>
>> ---
>> fs/ext4/inode.c | 12 ++++++++++--
>> 1 file changed, 10 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
>> index e416096fc081..d630ec7a9c8e 100644
>> --- a/fs/ext4/inode.c
>> +++ b/fs/ext4/inode.c
>> @@ -3424,6 +3424,7 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
>> int ret;
>> struct ext4_map_blocks map;
>> u8 blkbits = inode->i_blkbits;
>> + loff_t len;
>>
>> if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
>> return -EINVAL;
>> @@ -3435,8 +3436,11 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
>> * Calculate the first and last logical blocks respectively.
>> */
>> map.m_lblk = offset >> blkbits;
>> - map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> + len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1;
>> + if (len > EXT4_MAX_LOGICAL_BLOCK)
>> + len = EXT4_MAX_LOGICAL_BLOCK;
>> + map.m_len = len;
>>
>> if (flags & IOMAP_WRITE)
>> ret = ext4_iomap_alloc(inode, &map, flags);
>> @@ -3524,6 +3528,7 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset,
>> bool delalloc = false;
>> struct ext4_map_blocks map;
>> u8 blkbits = inode->i_blkbits;
>> + loff_t len
>>
>> if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
>> return -EINVAL;
>> @@ -3541,8 +3546,11 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset,
>> * Calculate the first and last logical block respectively.
>> */
>> map.m_lblk = offset >> blkbits;
>> - map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> + len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1;
>> + if (len > EXT4_MAX_LOGICAL_BLOCK)
>> + len = EXT4_MAX_LOGICAL_BLOCK;
>> + map.m_len = len;
>>
>> /*
>> * Fiemap callers may call for offset beyond s_bitmap_maxbytes.
>> --
>> 2.21.0
>>
Powered by blists - more mailing lists