mirror of
https://github.com/torvalds/linux.git
synced 2024-09-21 15:33:19 +00:00
92c5d1b860
The current sanity check for nilfs2 geometry information lacks checks for the number of segments stored in superblocks, so even for device images that have been destructively truncated or have an unusually high number of segments, the mount operation may succeed. This causes out-of-bounds block I/O on file system block reads or log writes to the segments, the latter in particular causing "a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to hang. Fix this issue by checking the number of segments stored in the superblock and avoiding mounting devices that can cause out-of-bounds accesses. To eliminate the possibility of overflow when calculating the number of blocks required for the device from the number of segments, this also adds a helper function to calculate the upper bound on the number of segments and inserts a check using it. Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| alloc.c | ||
| alloc.h | ||
| bmap.c | ||
| bmap.h | ||
| btnode.c | ||
| btnode.h | ||
| btree.c | ||
| btree.h | ||
| cpfile.c | ||
| cpfile.h | ||
| dat.c | ||
| dat.h | ||
| dir.c | ||
| direct.c | ||
| direct.h | ||
| export.h | ||
| file.c | ||
| gcinode.c | ||
| ifile.c | ||
| ifile.h | ||
| inode.c | ||
| ioctl.c | ||
| Kconfig | ||
| Makefile | ||
| mdt.c | ||
| mdt.h | ||
| namei.c | ||
| nilfs.h | ||
| page.c | ||
| page.h | ||
| recovery.c | ||
| segbuf.c | ||
| segbuf.h | ||
| segment.c | ||
| segment.h | ||
| sufile.c | ||
| sufile.h | ||
| super.c | ||
| sysfs.c | ||
| sysfs.h | ||
| the_nilfs.c | ||
| the_nilfs.h | ||