On Tue, 6 Nov 2018 07:19:17 +0000 Tigran Aivazian <aivazian.tigran@xxxxxxxxx> wrote:
> On Tue, 6 Nov 2018 at 00:49, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Sat, 3 Nov 2018 13:10:17 +0000 Tigran Aivazian <aivazian.tigran@xxxxxxxxx> wrote:
> >
> > > On 15th June I sent you a superior version of the patch, see attached.
> > > Even though it has a hardcoded "magic number" of 513, it explains in
> > > the comment next to it the reason for it.
> >
> > Oh gee, OK, I'm going to have to turn that into an incremental patch,
> > think up a changelog and then forge your Signed-off-by:. Sigh. Is
> > that all OK?
>
> Thank you, but, logically, these two changes belong to the same
> category of superblock fields sanity checking
> and so I don't see why you should split it into two incremental
> patches. The patch is
> small and simple enough to be "spoon fed", using Linus' terminology
> from the days I remember.
Is OK. I thought your patch was a replacement for Tetsuo's, but I see
now that it is an addition to it.
Here's what I ended up with:
From: Tigran Aivazian <aivazian.tigran@xxxxxxxxx>
Subject: bfs: additional sanity checking in bfs_fill_super()
Strengthen bfs_fill_super() against artificially (or, highly unlikely,
naturally) corrupted BFS filesystem by checking the values of
bfs_sb->s_start and s_fs_info->si_lasti to be in their valid ranges.
Signed-off-by: Tigran Aivazian <aivazian.tigran@xxxxxxxxx>
Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/bfs/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/bfs/inode.c~bfs-additional-sanity-checking-in-bfs_fill_super
+++ a/fs/bfs/inode.c
@@ -351,7 +351,7 @@ static int bfs_fill_super(struct super_b
s->s_magic = BFS_MAGIC;
if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
- le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ le32_to_cpu(bfs_sb->s_start) < sizeof(struct bfs_super_block) + sizeof(struct bfs_dirent)) {
printf("Superblock is corrupted\n");
goto out1;
}
@@ -359,7 +359,12 @@ static int bfs_fill_super(struct super_b
info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) /
sizeof(struct bfs_inode)
+ BFS_ROOT_INO - 1;
- imap_len = (info->si_lasti / 8) + 1;
+ if (info->si_lasti > 513) { /* Hardcoded: BFS can have up to 512 maximum number of inodes */
+ printf("Impossible number of inodes %lu\n", info->si_lasti);
+ goto out1;
+ }
+ imap_len = round_up((info->si_lasti) / 8,
+ sizeof(unsigned long)) + sizeof(unsigned long);
info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
if (!info->si_imap) {
printf("Cannot allocate %u bytes\n", imap_len);
_
