From patchwork Fri Aug 31 17:41:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 964630 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ext4-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=thunk.org header.i=@thunk.org header.b="b9uUz3sT"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42269Y1yT3z9s1x for ; Sat, 1 Sep 2018 03:41:36 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727258AbeHaVuH (ORCPT ); Fri, 31 Aug 2018 17:50:07 -0400 Received: from imap.thunk.org ([74.207.234.97]:38290 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727245AbeHaVuH (ORCPT ); Fri, 31 Aug 2018 17:50:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g/eaxd8CN2jNM5dumVeBmb7z0KZYEIxZPO3HDPVO4+I=; b=b9uUz3sTaN81um3jNGLnDoQn0y K+J6wpdz4u/gkz8kJfkbegO58fd5vWF1D18/zdHWAk7/5jIipW6cTIs6S1U8WO/m3wVIsNSzV4JSH Bre7eXgwabthbdwjH+wfnFJ2c8c35XfKR3EKwixBW2g0j3xYhOCB7TEdbjNnzMSuDYIY=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fvnQM-0005qM-8E; Fri, 31 Aug 2018 17:41:34 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 77C247A4BBE; Fri, 31 Aug 2018 13:41:28 -0400 (EDT) From: Theodore Ts'o To: Ext4 Developers List Cc: Theodore Ts'o , stable@vger.kernel.org Subject: [PATCH] ext4: avoid arithemetic overflow that can trigger a BUG Date: Fri, 31 Aug 2018 13:41:26 -0400 Message-Id: <20180831174126.13071-1-tytso@mit.edu> X-Mailer: git-send-email 2.18.0.rc0 X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org A maliciously crafted file system can cause an overflow when the results of a 64-bit calculation is stored into a 32-bit length parameter. https://bugzilla.kernel.org/show_bug.cgi?id=200623 Signed-off-by: Theodore Ts'o Reported-by: Wen Xu Cc: stable@vger.kernel.org --- fs/ext4/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 8f6ad7667974..1134c3473673 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3414,6 +3414,7 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length, unsigned int blkbits = inode->i_blkbits; unsigned long first_block = offset >> blkbits; unsigned long last_block = (offset + length - 1) >> blkbits; + unsigned long len; struct ext4_map_blocks map; bool delalloc = false; int ret; @@ -3434,7 +3435,8 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length, } map.m_lblk = first_block; - map.m_len = last_block - first_block + 1; + len = last_block - first_block + 1; + map.m_len = (len < UINT_MAX) ? len : UINT_MAX; if (flags & IOMAP_REPORT) { ret = ext4_map_blocks(NULL, inode, &map, 0);