Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1775731imm; Thu, 27 Sep 2018 02:15:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV63g/OtYGXg9wG+v2tg0aov0XK3EbZIxlGWWF4iAeevoTVIQJfrO+CzmH4bNc+dOUuVdEBkI X-Received: by 2002:a17:902:5a45:: with SMTP id f5-v6mr10148769plm.26.1538039746217; Thu, 27 Sep 2018 02:15:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538039746; cv=none; d=google.com; s=arc-20160816; b=qLQ2R/oktI1c+xA8ch9wtDaV1rR1izYAVjjWjcunyqqBD2goj9OupR4ZVnDHJIU5Jj 3IjrGfZTAOH3/v6rJaKK49MgvXRV3KqOrTes9ZXGFnIAxPTFinyev+xTOEkXAZi+FC/T KMLOieS/hdfCLmjW9NJbgvZcmrKncBtVDy+i+/oINv10QUZZBrRmD71SrnVRBJCQ2zZa /W2wrDMEfBNBm7VilJeyGXNupjBzHHiXjEeh173vsRBlKzqFRBoQYt4s0dIXkQXx1KC9 klvuc/Hfwm8Lnl8bh071kI5uZ5EqLSKHwtzjwRMNGH//UpVL1UFRP1/RlOPYeNnbNoxd /7Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=FZkVKPEf695oW2CvGFla81bXBgGlb46K+F83ETIKCwE=; b=0YsaX/cwah6rapAdRbalQYbZZw+1OE5VM0mro7zwbRoO6QrZ0S3O5z4LMpQtXzT8GB FBtlk6O6bDCTZ2/wPj9ywdVx4hfaf4uW1E3RXUDapP2pdRWFQ95P1Ze9nZ/VjjAym71v JT2AWR+17/8yYvmNMURpJu6ACdqoddZlEyTtUT8VjedVHARIzHe1l+wNRtK7gaaDBIgW YbrvG13kKx7ZbsNZq0Ar8b+eXHxZrlvdRFPRYcWbjvS8ePoJMXsblCowFz8UjrHVy+ZP V1b60704YV2vFWYGoH0m+kpy90WlAkVWgGiDN3K8uR/HSHUPvEvCXCm9AMIqLEUBLx6C qqHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4-v6si1495983pla.299.2018.09.27.02.15.31; Thu, 27 Sep 2018 02:15:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728237AbeI0Pbu (ORCPT + 99 others); Thu, 27 Sep 2018 11:31:50 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55528 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727576AbeI0Pbu (ORCPT ); Thu, 27 Sep 2018 11:31:50 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id AC4591117; Thu, 27 Sep 2018 09:14:33 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Wen Xu Subject: [PATCH 4.18 78/88] ext4: avoid arithemetic overflow that can trigger a BUG Date: Thu, 27 Sep 2018 11:03:59 +0200 Message-Id: <20180927090310.091349330@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090300.631426620@linuxfoundation.org> References: <20180927090300.631426620@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit bcd8e91f98c156f4b1ebcfacae675f9cfd962441 upstream. A maliciously crafted file system can cause an overflow when the results of a 64-bit calculation is stored into a 32-bit length parameter. https://bugzilla.kernel.org/show_bug.cgi?id=200623 Signed-off-by: Theodore Ts'o Reported-by: Wen Xu Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/ext4.h | 3 +++ fs/ext4/inode.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -675,6 +675,9 @@ enum { /* Max physical block we can address w/o extents */ #define EXT4_MAX_BLOCK_FILE_PHYS 0xFFFFFFFF +/* Max logical block we can support */ +#define EXT4_MAX_LOGICAL_BLOCK 0xFFFFFFFF + /* * Structure of an inode on the disk */ --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3412,12 +3412,16 @@ static int ext4_iomap_begin(struct inode { struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); unsigned int blkbits = inode->i_blkbits; - unsigned long first_block = offset >> blkbits; - unsigned long last_block = (offset + length - 1) >> blkbits; + unsigned long first_block, last_block; struct ext4_map_blocks map; bool delalloc = false; int ret; + if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK) + return -EINVAL; + first_block = offset >> blkbits; + last_block = min_t(loff_t, (offset + length - 1) >> blkbits, + EXT4_MAX_LOGICAL_BLOCK); if (flags & IOMAP_REPORT) { if (ext4_has_inline_data(inode)) {