Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1775731imm;
        Thu, 27 Sep 2018 02:15:46 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63g/OtYGXg9wG+v2tg0aov0XK3EbZIxlGWWF4iAeevoTVIQJfrO+CzmH4bNc+dOUuVdEBkI
X-Received: by 2002:a17:902:5a45:: with SMTP id f5-v6mr10148769plm.26.1538039746217;
        Thu, 27 Sep 2018 02:15:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538039746; cv=none;
        d=google.com; s=arc-20160816;
        b=qLQ2R/oktI1c+xA8ch9wtDaV1rR1izYAVjjWjcunyqqBD2goj9OupR4ZVnDHJIU5Jj
         3IjrGfZTAOH3/v6rJaKK49MgvXRV3KqOrTes9ZXGFnIAxPTFinyev+xTOEkXAZi+FC/T
         KMLOieS/hdfCLmjW9NJbgvZcmrKncBtVDy+i+/oINv10QUZZBrRmD71SrnVRBJCQ2zZa
         /W2wrDMEfBNBm7VilJeyGXNupjBzHHiXjEeh173vsRBlKzqFRBoQYt4s0dIXkQXx1KC9
         klvuc/Hfwm8Lnl8bh071kI5uZ5EqLSKHwtzjwRMNGH//UpVL1UFRP1/RlOPYeNnbNoxd
         /7Hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=FZkVKPEf695oW2CvGFla81bXBgGlb46K+F83ETIKCwE=;
        b=0YsaX/cwah6rapAdRbalQYbZZw+1OE5VM0mro7zwbRoO6QrZ0S3O5z4LMpQtXzT8GB
         FBtlk6O6bDCTZ2/wPj9ywdVx4hfaf4uW1E3RXUDapP2pdRWFQ95P1Ze9nZ/VjjAym71v
         JT2AWR+17/8yYvmNMURpJu6ACdqoddZlEyTtUT8VjedVHARIzHe1l+wNRtK7gaaDBIgW
         YbrvG13kKx7ZbsNZq0Ar8b+eXHxZrlvdRFPRYcWbjvS8ePoJMXsblCowFz8UjrHVy+ZP
         V1b60704YV2vFWYGoH0m+kpy90WlAkVWgGiDN3K8uR/HSHUPvEvCXCm9AMIqLEUBLx6C
         qqHg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d4-v6si1495983pla.299.2018.09.27.02.15.31;
        Thu, 27 Sep 2018 02:15:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728237AbeI0Pbu (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Thu, 27 Sep 2018 11:31:50 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:55528 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727576AbeI0Pbu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Sep 2018 11:31:50 -0400
Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id AC4591117;
        Thu, 27 Sep 2018 09:14:33 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Theodore Tso <tytso@mit.edu>,
        Wen Xu <wen.xu@gatech.edu>
Subject: [PATCH 4.18 78/88] ext4: avoid arithemetic overflow that can trigger a BUG
Date:   Thu, 27 Sep 2018 11:03:59 +0200
Message-Id: <20180927090310.091349330@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180927090300.631426620@linuxfoundation.org>
References: <20180927090300.631426620@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bcd8e91f98c156f4b1ebcfacae675f9cfd962441 upstream.

A maliciously crafted file system can cause an overflow when the
results of a 64-bit calculation is stored into a 32-bit length
parameter.

https://bugzilla.kernel.org/show_bug.cgi?id=200623

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Wen Xu <wen.xu@gatech.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/ext4.h  |    3 +++
 fs/ext4/inode.c |    8 ++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -675,6 +675,9 @@ enum {
 /* Max physical block we can address w/o extents */
 #define EXT4_MAX_BLOCK_FILE_PHYS	0xFFFFFFFF
 
+/* Max logical block we can support */
+#define EXT4_MAX_LOGICAL_BLOCK		0xFFFFFFFF
+
 /*
  * Structure of an inode on the disk
  */
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3412,12 +3412,16 @@ static int ext4_iomap_begin(struct inode
 {
 	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
 	unsigned int blkbits = inode->i_blkbits;
-	unsigned long first_block = offset >> blkbits;
-	unsigned long last_block = (offset + length - 1) >> blkbits;
+	unsigned long first_block, last_block;
 	struct ext4_map_blocks map;
 	bool delalloc = false;
 	int ret;
 
+	if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
+		return -EINVAL;
+	first_block = offset >> blkbits;
+	last_block = min_t(loff_t, (offset + length - 1) >> blkbits,
+			   EXT4_MAX_LOGICAL_BLOCK);
 
 	if (flags & IOMAP_REPORT) {
 		if (ext4_has_inline_data(inode)) {