linux/fs/ext4
Eryu Guan 3a4b77cd47 ext4: validate s_first_meta_bg at mount time
Ralf Spenneberg reported that he hit a kernel crash when mounting a
modified ext4 image. And it turns out that kernel crashed when
calculating fs overhead (ext4_calculate_overhead()), this is because
the image has very large s_first_meta_bg (debug code shows it's
842150400), and ext4 overruns the memory in count_overhead() when
setting bitmap buffer, which is PAGE_SIZE.

ext4_calculate_overhead():
  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
  blks = count_overhead(sb, i, buf);

count_overhead():
  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
          count++;
  }

This can be reproduced easily for me by this script:

  #!/bin/bash
  rm -f fs.img
  mkdir -p /mnt/ext4
  fallocate -l 16M fs.img
  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
  mount -o loop fs.img /mnt/ext4

Fix it by validating s_first_meta_bg first at mount time, and
refusing to mount if its value exceeds the largest possible meta_bg
number.

Reported-by: Ralf Spenneberg <ralf@os-t.de>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
2016-12-01 15:08:37 -05:00
..
acl.c ext4: use current_time() for inode timestamps 2016-11-14 21:40:10 -05:00
acl.h ext2/3/4: use generic posix ACL infrastructure 2014-01-25 23:58:19 -05:00
balloc.c The major change this cycle is deleting ext4's copy of the file system 2016-07-26 18:35:55 -07:00
bitmap.c ext4: remove unused header files 2015-04-02 23:47:42 -04:00
block_validity.c ext4: add missing KERN_CONT to a few more debugging uses 2016-10-15 09:57:31 -04:00
dir.c ext4: remove unused variable 2016-09-30 02:14:56 -04:00
ext4_extents.h ext4: fix misspellings in comments. 2016-03-09 23:49:05 -05:00
ext4_jbd2.c ext4: fix potential use after free in __ext4_journal_stop 2015-10-17 22:57:06 -04:00
ext4_jbd2.h ext4: optimize ext4_should_retry_alloc() to improve ENOSPC performance 2016-06-26 18:24:01 -04:00
ext4.h ext4: get rid of ext4_sb_has_crypto() 2016-12-01 11:54:18 -05:00
extents_status.c ext4: remove trailing \n from ext4_warning/ext4_error calls 2016-04-27 01:11:21 -04:00
extents_status.h ext4: move procfs registration code to fs/ext4/sysfs.c 2015-09-23 12:46:17 -04:00
extents.c ext4: use current_time() for inode timestamps 2016-11-14 21:40:10 -05:00
file.c ext4: convert DAX faults to iomap infrastructure 2016-11-20 18:51:24 -05:00
fsync.c ext4: cleanup ext4_sync_parent() 2016-09-05 23:21:43 -04:00
hash.c ext4: remove unused header files 2015-04-02 23:47:42 -04:00
ialloc.c ext4: avoid lockdep warning when inheriting encryption context 2016-11-21 11:52:44 -05:00
indirect.c ext4: refactor direct IO code 2016-05-13 00:44:16 -04:00
inline.c ext4: only set S_DAX if DAX is really supported 2016-11-20 17:32:59 -05:00
inode.c ext4: don't read out of bounds when checking for in-inode xattrs 2016-12-01 14:51:58 -05:00
ioctl.c ext4: disable pwsalt ioctl when encryption disabled by config 2016-12-01 11:55:51 -05:00
Kconfig ext4: Add select for CONFIG_FS_IOMAP 2016-11-22 23:21:58 -05:00
Makefile ext4 crypto: migrate into vfs's crypto engine 2016-07-10 14:01:03 -04:00
mballoc.c ext4: fix stack memory corruption with 64k block size 2016-11-14 21:26:26 -05:00
mballoc.h ext4: add missing KERN_CONT to a few more debugging uses 2016-10-15 09:57:31 -04:00
migrate.c ext4: fix misspellings in comments. 2016-03-09 23:49:05 -05:00
mmp.c fs: have submit_bh users pass in op and flags separately 2016-06-07 13:41:38 -06:00
move_extent.c ext4: enforce online defrag restriction for encrypted files 2016-08-29 15:45:11 -04:00
namei.c ext4: use current_time() for inode timestamps 2016-11-14 21:40:10 -05:00
page-io.c fscrypt: Let fs select encryption index/tweak 2016-11-13 20:18:16 -05:00
readpage.c Merge branch 'akpm' (patches from Andrew) 2016-07-26 19:55:54 -07:00
resize.c ext4: remove trailing \n from ext4_warning/ext4_error calls 2016-04-27 01:11:21 -04:00
super.c ext4: validate s_first_meta_bg at mount time 2016-12-01 15:08:37 -05:00
symlink.c Merge branch 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 17:11:50 -07:00
sysfs.c ext4: do not advertise encryption support when disabled 2016-10-12 23:24:51 -04:00
truncate.h ext4: fix races between page faults and hole punching 2015-12-07 14:28:03 -05:00
xattr_security.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr_trusted.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr_user.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr.c ext4: correctly detect when an xattr value has an invalid size 2016-12-01 14:57:29 -05:00
xattr.h ext4: reserve xattr index for the Hurd 2016-07-31 23:38:36 -04:00