The patch titled Subject: fs/minix: reject too-large maximum file size has been added to the -mm tree. Its filename is fs-minix-reject-too-large-maximum-file-size.patch
This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/fs-minix-reject-too-large-maximum-f... and later at http://ozlabs.org/~akpm/mmotm/broken-out/fs-minix-reject-too-large-maximum-f...
Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated there every 3-4 working days
------------------------------------------------------ From: Eric Biggers ebiggers@google.com Subject: fs/minix: reject too-large maximum file size
If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself.
Fix this by validating the maximum file size at mount time.
Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers ebiggers@google.com Cc: Alexander Viro viro@zeniv.linux.org.uk Cc: Qiujun Huang anenbupt@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-)
--- a/fs/minix/inode.c~fs-minix-reject-too-large-maximum-file-size +++ a/fs/minix/inode.c @@ -150,6 +150,23 @@ static int minix_remount (struct super_b return 0; }
+static bool minix_check_superblock(struct minix_sb_info *sbi) +{ + if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) + return false; + + /* + * s_max_size must not exceed the block mapping limitation. This check + * is only needed for V1 filesystems, since V2/V3 support an extra level + * of indirect blocks which places the limit well above U32_MAX. + */ + if (sbi->s_version == MINIX_V1 && + sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) + return false; + + return true; +} + static int minix_fill_super(struct super_block *s, void *data, int silent) { struct buffer_head *bh; @@ -228,11 +245,12 @@ static int minix_fill_super(struct super } else goto out_no_fs;
+ if (!minix_check_superblock(sbi)) + goto out_illegal_sb; + /* * Allocate the buffer map to keep the superblock small. */ - if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) - goto out_illegal_sb; i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); map = kzalloc(i, GFP_KERNEL); if (!map) _
Patches currently in -mm which might be from ebiggers@google.com are
fs-minix-check-return-value-of-sb_getblk.patch fs-minix-dont-allow-getting-deleted-inodes.patch fs-minix-reject-too-large-maximum-file-size.patch fs-minix-set-s_maxbytes-correctly.patch fs-minix-fix-block-limit-check-for-v1-filesystems.patch fs-minix-remove-expected-error-message-in-block_to_path.patch