Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1783466imm;
        Thu, 27 Sep 2018 02:24:27 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60vM+uVWTobMwOgAGMM6/ho6oiy/WDBCF3Lv2eZvi7tFjSLN1621H7t0QkTTXILFyww2/pX
X-Received: by 2002:a62:2744:: with SMTP id n65-v6mr10475099pfn.125.1538040267612;
        Thu, 27 Sep 2018 02:24:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538040267; cv=none;
        d=google.com; s=arc-20160816;
        b=VMYdpL88p5xaWGmf4EdNI0LaTigVQTaD6cvlFw2gZ1L9ThyGSTqnmb90/nw3vRp+Gm
         30bxs56aFIdANzGWS0D86QCjR+87xRaaNmn0oWStRx1x6E5DKsOVN5NCoqUaekhsJhwu
         mrSAy0oU4ZF4SExWBFczEh1bsITUMNJEOcda9utdADvrT0rxn1ddD7tQPBWc+KGtcXyH
         YuQ70vrKEk5dj78layn6Q1E0+8ttFHcEoIa7aB3P2E28S8kKTsBsQMJzuvuJdHzi8fqb
         UWB80CCc0YmtoJCutuNexHa+xu6B1HdbqIEGSSjwg5xibFdzkcJPL0SHaAE9fFwlNdpM
         cr9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=7eiwzV0eteFfQuTkuEIAgdDtCdq+VPlbBVRCKHu9YCE=;
        b=pMjDFSrIJK/5qp8HdOdUnwn4ckAnBdogTfH8UUNZKtBTjbN56MYd0bQGx+c7pNk78p
         ucfN4ZH9jg5BsBNM0iCwMr6k7KifCeDOpZEbQy1XfjPiwHIqy4n5lhRVoACk0XMSsvkf
         Yznu4CVXO17NZpju7PB1L3k1mpvWDFuJ0SkQMmuhmxK14ULm0ZdCRgJRvUQqWO5bvf5i
         21AkIzwwAkgv49ki/8ucx9rh2LeFqkzf3om4FA6BSkOTl5A8ozBplZh7OESCw6b9qWxZ
         3CEcz19gvmVOF+4Qi18xUjqITictaHvgAuqQDCxQ9J6iTroDccHs+OAcTHhTW+X/bfG6
         Merg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b27-v6si1489479pgb.156.2018.09.27.02.24.13;
        Thu, 27 Sep 2018 02:24:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728767AbeI0PlR (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Thu, 27 Sep 2018 11:41:17 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:56638 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727154AbeI0PlQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Sep 2018 11:41:16 -0400
Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 5A5541113;
        Thu, 27 Sep 2018 09:23:55 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Theodore Tso <tytso@mit.edu>,
        Wen Xu <wen.xu@gatech.edu>
Subject: [PATCH 4.14 53/64] ext4: avoid arithemetic overflow that can trigger a BUG
Date:   Thu, 27 Sep 2018 11:04:10 +0200
Message-Id: <20180927090257.308974696@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180927090249.801943776@linuxfoundation.org>
References: <20180927090249.801943776@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bcd8e91f98c156f4b1ebcfacae675f9cfd962441 upstream.

A maliciously crafted file system can cause an overflow when the
results of a 64-bit calculation is stored into a 32-bit length
parameter.

https://bugzilla.kernel.org/show_bug.cgi?id=200623

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Wen Xu <wen.xu@gatech.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/ext4.h  |    3 +++
 fs/ext4/inode.c |    9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -714,6 +714,9 @@ struct fsxattr {
 /* Max physical block we can address w/o extents */
 #define EXT4_MAX_BLOCK_FILE_PHYS	0xFFFFFFFF
 
+/* Max logical block we can support */
+#define EXT4_MAX_LOGICAL_BLOCK		0xFFFFFFFF
+
 /*
  * Structure of an inode on the disk
  */
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3407,11 +3407,16 @@ static int ext4_iomap_begin(struct inode
 {
 	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
 	unsigned int blkbits = inode->i_blkbits;
-	unsigned long first_block = offset >> blkbits;
-	unsigned long last_block = (offset + length - 1) >> blkbits;
+	unsigned long first_block, last_block;
 	struct ext4_map_blocks map;
 	int ret;
 
+	if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
+		return -EINVAL;
+	first_block = offset >> blkbits;
+	last_block = min_t(loff_t, (offset + length - 1) >> blkbits,
+			   EXT4_MAX_LOGICAL_BLOCK);
+
 	if (WARN_ON_ONCE(ext4_has_inline_data(inode)))
 		return -ERANGE;