hpfs: better test for errors
The test if bitmap access is out of bound could errorneously pass if the
device size is divisible by 16384 sectors and we are asking for one bitmap
after the end.
Check for invalid size in the superblock. Invalid size could cause integer
overflows in the rest of the code.
Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
---
fs/hpfs/map.c | 3 ++-
fs/hpfs/super.c | 8 +++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
Index: linux-3.10-fast/fs/hpfs/map.c
===================================================================
--- linux-3.10-fast.orig/fs/hpfs/map.c 2013-07-03 23:56:43.000000000 +0200
+++ linux-3.10-fast/fs/hpfs/map.c 2013-07-03 23:57:55.000000000 +0200
@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_blo
struct quad_buffer_head *qbh, char *id)
{
secno sec;
- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
+ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
+ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
return NULL;
}
Index: linux-3.10-fast/fs/hpfs/super.c
===================================================================
--- linux-3.10-fast.orig/fs/hpfs/super.c 2013-07-04 00:05:17.000000000 +0200
+++ linux-3.10-fast/fs/hpfs/super.c 2013-07-04 00:07:23.000000000 +0200
@@ -560,7 +560,13 @@ static int hpfs_fill_super(struct super_
sbi->sb_cp_table = NULL;
sbi->sb_c_bitmap = -1;
sbi->sb_max_fwd_alloc = 0xffffff;
-
+
+ if (sbi->sb_fs_size >= 0x80000000) {
+ hpfs_error(s, "invalid size in superblock: %08x",
+ (unsigned)sbi->sb_fs_size);
+ goto bail4;
+ }
+
/* Load bitmap directory */
if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
goto bail4;
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
