[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20221115014404.194531-1-liaochang1@huawei.com>
Date: Tue, 15 Nov 2022 09:44:04 +0800
From: Liao Chang <liaochang1@...wei.com>
To: <willy@...radead.org>, <akpm@...ux-foundation.org>,
<damien.lemoal@...nsource.wdc.com>, <roman.gushchin@...ux.dev>,
<tytso@....edu>, <songmuchun@...edance.com>, <qhjin.dev@...il.com>,
<liaochang1@...wei.com>
CC: <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] fs: Fix UBSAN detected shift-out-bounds error for bad superblock
UBSAN: shift-out-of-bounds in fs/minix/bitmap.c:103:3
shift exponent 8192 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 32273 Comm: syz-executor.0 Tainted: G W
6.1.0-rc4-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
ubsan_epilogue+0xb/0x50
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x18d
minix_count_free_blocks.cold+0x16/0x1b
minix_statfs+0x22a/0x490
statfs_by_dentry+0x133/0x210
user_statfs+0xa9/0x160
__do_sys_statfs+0x7a/0xf0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The superblock stores on disk contains the size of a data zone, which is
too large to used as the shift when kernel try to calculate the total
size of zones, so it needs to check the superblock when kernel mounts
MINIX-FS.
Signed-off-by: Liao Chang <liaochang1@...wei.com>
---
v2:
1. Use compiler neutral API to calculate leading zeros count.
2. A invalid s_log_zone_size should be greater than the leading zeros
count of (s_nzone - s_firstdatazone).
---
fs/minix/inode.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index da8bdd1712a7..fbfe2021ef50 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -19,6 +19,7 @@
#include <linux/highuid.h>
#include <linux/vfs.h>
#include <linux/writeback.h>
+#include <linux/count_zeros.h>
static int minix_write_inode(struct inode *inode,
struct writeback_control *wbc);
@@ -166,6 +167,12 @@ static bool minix_check_superblock(struct super_block *sb)
sb->s_maxbytes > (7 + 512 + 512*512) * BLOCK_SIZE)
return false;
+ /* the total size of zones must not exceed the limitation of U32_MAX. */
+ if (sbi->s_log_zone_size && (sbi->s_nzones - sbi->s_firstdatazone) &&
+ (count_leading_zeros(sbi->s_nzones - sbi->s_firstdatazone) <
+ sbi->s_log_zone_size))
+ return false;
+
return true;
}
--
2.17.1
Powered by blists - more mailing lists