Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp674921pxu; Wed, 14 Oct 2020 10:43:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyunBIZ2gMqXHTCMbl/HViJlaiizR2MPt6UlKq5M4ThZzRjSpnI+I06JH3ggeeTwAXRqU+y X-Received: by 2002:a05:6402:8:: with SMTP id d8mr22553edu.15.1602697429182; Wed, 14 Oct 2020 10:43:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602697429; cv=none; d=google.com; s=arc-20160816; b=v1R9MCvqiOqOV07VkuRU2p4cGLhYnevaxHaOd0bVI6jLi+yNZrhkgDqwOV5MKfJlVG 9uLvSnCFbjjhW41s0DfL2ZXY17oGjqF257JJPpiWIBChya5B4x/vlWozzvT1FH2FMgBD uSbPYfGajCWEYU/uKXqRKWpxvN2bVyoOz3KNdVmAC9hNfHDjZ2jfsCas35Tct/AImdqP tv8yYQzwHRZLzYIvfZcXrZGOPIPPjrCx3vz//znXl9oduH8BbF7jiB+8GxtK6CdSZ8a9 u6S/WTItQZ96UXkA5s1kxSZa7hitFtCZViel3Qf6NOekR1HBR5GffVMfk7mjbhrraQq6 JdKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+yEsILmCKm0hRP0CDuXEGc8J5t+QTwZ1G0jbK/IVGEU=; b=kYxEX7eaXLpPXsQ3ImDVakbBwd7UQQwnkDcFMfdKYMat0sYM3v4gJ1pC6S7OEkefXk Pmqy42iJNcd8+nxUoqPuT1e8EuWHJFB39GDI5SPatzHwNt9Xx94bDjsj/wzIQ8iZ82v9 IBXoh6OCQ/7s8pyri4lMg2CX9WccPDaTt3Lhz9aqAa9ugv31pmPl6KxRUP2B5yTMIKKj +FnGT20XjTyUqMsQxMxOA+mXWUTTfXOipGbtJMswXbFzVeXQADzUnjHk5c+s/NcNI02O x4APHE1h5bDarw/4bkfL0z3KSe2FN7PDbg54Wb++TFdC9hw9TwRMqN+YCH7FGJ3Ud0CW RdjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=u+lHNhA0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m18si311017eje.64.2020.10.14.10.43.26; Wed, 14 Oct 2020 10:43:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=u+lHNhA0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730779AbgJNQbS (ORCPT + 99 others); Wed, 14 Oct 2020 12:31:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728084AbgJNQbS (ORCPT ); Wed, 14 Oct 2020 12:31:18 -0400 Received: from mail-pg1-x541.google.com (mail-pg1-x541.google.com [IPv6:2607:f8b0:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 838AFC061755 for ; Wed, 14 Oct 2020 09:31:18 -0700 (PDT) Received: by mail-pg1-x541.google.com with SMTP id n9so2322116pgt.8 for ; Wed, 14 Oct 2020 09:31:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+yEsILmCKm0hRP0CDuXEGc8J5t+QTwZ1G0jbK/IVGEU=; b=u+lHNhA0jCyKVpHsRJQylUByW/6d565Up3FzoLS2DeENWbTwd6NINIGV5+Xo802SGR 3SI4cVLxQchfO1lAfgu7+m7Q/CJPgEXKarVxmxDZlzpCINW/GVsuh4sB1ymgLTRS1WoX 8WMUcMNkoMVjTo2oQn8RfwMthBAouoiKsz75r0ybPqEaoeGNtjZl0EaNRvdsStBAo3bG diCANTLBvEhDYIWMiqhjN3iFLugrMRSlfZxVNXutkqp95IjgInL5A39QU3qyvQThDu/y PUd/HlAiDnnqDXH4mj4o8Bxn+zkyNSwVCsSVS9RnkfPhRBXi9LxHsMgVAxYWPng/xpDX m3yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+yEsILmCKm0hRP0CDuXEGc8J5t+QTwZ1G0jbK/IVGEU=; b=E61UVG+HLudF+ZVOTp6pbEze5Xo5Phb7L/7wRFHvbkUCGfTcSIlR/28zWr8tQL9e8i xc8lBjxSnqsBrfHDycYXaxZtiGLpu3U94MfV6Ff+e2Road7OQD3mTWDZoG9sJ1Qd5Vh4 J0KTRkwdMlonSrIwm5XNviRTQL6J28zhlMZ6Oa+3IaSGiIIY//Nc2jhUUWKmr1vLzmtc TngALOv5X+DXpFEyWkGBJ8NjMFk12rPDxoanxlngqEMYg8IWeQaiIyHIVEW3Cu1jg2av eUWn01W5LGPwutEaecGoLIuwWW6Eiga9Z/PHzBvBbrlipxVw5Mdr+BfOsjBVDdM12Ga/ f8Gw== X-Gm-Message-State: AOAM531OojMI/XIOjZTqq+kbMsMmy23Z6iv4FsS5jKTdXkkxvzPADtnm OKapuAwM1xwa/35bz8ygUtBnZlvNmJB0kNkUI10= X-Received: by 2002:a63:d257:: with SMTP id t23mr4664803pgi.212.1602693077702; Wed, 14 Oct 2020 09:31:17 -0700 (PDT) Received: from localhost.localdomain ([49.207.205.44]) by smtp.gmail.com with ESMTPSA id i9sm10919pgc.71.2020.10.14.09.31.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Oct 2020 09:31:16 -0700 (PDT) From: Anant Thazhemadam To: anprice@redhat.com, agruenba@redhat.com, rpeterso@redhat.com Cc: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, cluster-devel@redhat.com, anant.thazhemadam@gmail.com, foxhlchen@gmail.com, syzbot+af90d47a37376844e731@syzkaller.appspotmail.com Subject: [PATCH v2] fs: gfs2: add validation checks for size of superblock Date: Wed, 14 Oct 2020 22:01:09 +0530 Message-Id: <20201014163109.98739-1-anant.thazhemadam@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In gfs2_check_sb(), no validation checks are performed with regards to the size of the superblock. syzkaller detected a slab-out-of-bounds bug that was primarily caused because the block size for a superblock was set to zero. A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. Performing validation checks and ensuring that the size of the superblock is valid fixes this bug. Reported-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com Tested-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com Suggested-by: Andrew Price Signed-off-by: Anant Thazhemadam --- Changes in v2: * Completely dropped the changes proposed in v1. Instead, validity checks for superblock size have been introduced. (Suggested by Andrew Price) * Addded a "Suggested-by" tag accrediting the patch idea to Andrew. If there's any issue with that, please let me know. * Changed the commit header and commit message appropriately. * Updated "Reported-by" and "Tested-by" tags to the same instance of the bug that was detected earlier (non consequential change). fs/gfs2/ops_fstype.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 6d18d2c91add..f0605fae2c4c 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) return -EINVAL; } + /* Check if the size of the block is valid - a power of 2 between 512 and PAGE_SIZE */ + if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize & (sb->sb_bsize - 1))) { + if (!silent) + pr_warn("Invalid superblock size\n"); + return -EINVAL; + } + /* If format numbers match exactly, we're done. */ if (sb->sb_fs_format == GFS2_FORMAT_FS && -- 2.25.1