On 14 June 2018 at 14:28, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > What is possible largest value for imap_len ? > > info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1; > imap_len = (info->si_lasti / 8) + 1; > info->si_imap = kzalloc(imap_len, GFP_KERNEL); > > Since sizeof(struct bfs_inode) is 64 and bfs_sb->s_start is unsigned 32bits integer > (where constraints is BFS_BSIZE <= bfs_sb->s_start <= bfs_sb->s_end), theoretically > it is possible to assign bfs_sb->s_start > 2GB (apart from whether such value makes > sense). Then, isn't it possible that imap_len > 4M and still hit KMALLOC_MAX_SIZE limit? You are correct, but the proper fix should be to restrict imap_len to whatever the maximum value allowed by BFS filesystem layout and reject anything beyond it. I will try to remember what it was from the notes I made when I wrote BFS back in 1999. Please wait (possibly a few days) and I will let you know what those values are. Kind regards, Tigran
