Patch "ext2: Add more validity checks for inode counts" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Aug 2022 18:50:03 -0400

This is a note to let you know that I've just added the patch titled

    ext2: Add more validity checks for inode counts

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ext2-add-more-validity-checks-for-inode-counts.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1fe0c007dfc292ee80a028a3aaca39ae8d02b86c
Author: Jan Kara <jack@xxxxxxx>
Date:   Tue Jul 26 13:13:50 2022 +0200

    ext2: Add more validity checks for inode counts
    
    [ Upstream commit fa78f336937240d1bc598db817d638086060e7e9 ]
    
    Add checks verifying number of inodes stored in the superblock matches
    the number computed from number of inodes per group. Also verify we have
    at least one block worth of inodes per group. This prevents crashes on
    corrupted filesystems.
    
    Reported-by: syzbot+d273f7d7f58afd93be48@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Jan Kara <jack@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index db403c01d4d5..644c83c115bc 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -1077,9 +1077,10 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 			sbi->s_frags_per_group);
 		goto failed_mount;
 	}
-	if (sbi->s_inodes_per_group > sb->s_blocksize * 8) {
+	if (sbi->s_inodes_per_group < sbi->s_inodes_per_block ||
+	    sbi->s_inodes_per_group > sb->s_blocksize * 8) {
 		ext2_msg(sb, KERN_ERR,
-			"error: #inodes per group too big: %lu",
+			"error: invalid #inodes per group: %lu",
 			sbi->s_inodes_per_group);
 		goto failed_mount;
 	}
@@ -1089,6 +1090,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
 				le32_to_cpu(es->s_first_data_block) - 1)
 					/ EXT2_BLOCKS_PER_GROUP(sb)) + 1;
+	if ((u64)sbi->s_groups_count * sbi->s_inodes_per_group !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext2_msg(sb, KERN_ERR, "error: invalid #inodes: %u vs computed %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 (u64)sbi->s_groups_count * sbi->s_inodes_per_group);
+		goto failed_mount;
+	}
 	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
 		   EXT2_DESC_PER_BLOCK(sb);
 	sbi->s_group_desc = kmalloc_array (db_count,






