Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp13925308pxu; Mon, 4 Jan 2021 08:07:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJz+O5FIs5Z6VFS6vqJXtsOULYfadre8YAug4pudVBsUUqSoCTmlKlDwH5ET3FDareP/R8cH X-Received: by 2002:a17:906:d152:: with SMTP id br18mr63848271ejb.297.1609776444587; Mon, 04 Jan 2021 08:07:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609776444; cv=none; d=google.com; s=arc-20160816; b=TtBYRRwetcRjzzyrGZ11rRGco9xjx7Jx7/GvP/G8MeNZLAM+jwTcWjsQFQ2Y7SBdU/ NaU0rUje+Qrs79XkIgwKYLugx7chVxOPhKBVKvVPs7vIW+iJ5s7inxIELeSigazyaNuy OwWybClH8ivwHmz1GXCHvsOXxaqdIQE1eMBa0MJy7RMMwMV+Sk19oWc7aenC687OP/IK s7PmTmLLQSEU28akSbkkJ/FCzuyB1z0XV3OfjAySRhln/irvaWYRajOpz6xvGgHFS2wb MahG4G7hfN3kzYUJRX5BSTdh6MRfQUBNrr+StvFMstnTxvqUxZpr1NZR/wiZ9YAijRXW sGxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6J0VUDNFvIwFYw464M5JD4I73oBjHw9p+AWWYR/G0gg=; b=c3RA9t02JSk46umin+SfmlEHIsfPIn80amsMEUW1gxKtkzEGaLcZDD6pOGE2UoIBcj r2eYNBxJYLfDbPsmKfQbMjLhT7WNcTCn2ordpfAGJ40w/VqKE0d1pTBh8DZGwn02CoBo DnTN0LyFpoLvOsIfCoxIlqrYO+X605aBuM5XZa4WWRow2/xb5PI7UmfE8boJnhZN03Hu XfoTQsMti3cKpYDz70+XGIeI5saSO9G0SqOZo2ah+HUIYWmuAiVd37qvhXRRwYVrgzK4 ATiey0a6k+6SwjlwJkZ/sb6yuRWmvMX8E6MyX6FtGQ7Vgb4c/nNVfpPJlRZr+I3dCAVh V3CA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kBrRKnF2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l7si29807479edv.230.2021.01.04.08.07.01; Mon, 04 Jan 2021 08:07:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kBrRKnF2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727293AbhADQDh (ORCPT + 99 others); Mon, 4 Jan 2021 11:03:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:40524 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729138AbhADQD3 (ORCPT ); Mon, 4 Jan 2021 11:03:29 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id E5A4D21D93; Mon, 4 Jan 2021 16:03:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609776193; bh=IeqvedZQoajx3onpyRqj2gX75TbOTpThd76FhbG/QN4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kBrRKnF2/ioxJWfpJYiVaxS3TuH7agORQLj9sMZ5hOmNSASFhXV+cdxpPBXWYw+7A LYY8SMHQoAyIsgABNk3lRPVjRA2rvD3i9aAvyFv9Ar15bmvdYybAZ+Nm119Ljci0EA +fugmAG9P9i8m2EvmFOuTDsqti1wOLhfCY5JRaj8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , syzbot+345b75652b1d24227443@syzkaller.appspotmail.com Subject: [PATCH 5.10 36/63] ext4: check for invalid block size early when mounting a file system Date: Mon, 4 Jan 2021 16:57:29 +0100 Message-Id: <20210104155710.573205321@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210104155708.800470590@linuxfoundation.org> References: <20210104155708.800470590@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Theodore Ts'o commit c9200760da8a728eb9767ca41a956764b28c1310 upstream. Check for valid block size directly by validating s_log_block_size; we were doing this in two places. First, by calculating blocksize via BLOCK_SIZE << s_log_block_size, and then checking that the blocksize was valid. And then secondly, by checking s_log_block_size directly. The first check is not reliable, and can trigger an UBSAN warning if s_log_block_size on a maliciously corrupted superblock is greater than 22. This is harmless, since the second test will correctly reject the maliciously fuzzed file system, but to make syzbot shut up, and because the two checks are duplicative in any case, delete the blocksize check, and move the s_log_block_size earlier in ext4_fill_super(). Signed-off-by: Theodore Ts'o Reported-by: syzbot+345b75652b1d24227443@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman --- fs/ext4/super.c | 40 ++++++++++++++++------------------------ 1 file changed, 16 insertions(+), 24 deletions(-) --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -4186,18 +4186,25 @@ static int ext4_fill_super(struct super_ */ sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT; - blocksize = BLOCK_SIZE << le32_to_cpu(es->s_log_block_size); - - if (blocksize == PAGE_SIZE) - set_opt(sb, DIOREAD_NOLOCK); - - if (blocksize < EXT4_MIN_BLOCK_SIZE || - blocksize > EXT4_MAX_BLOCK_SIZE) { + if (le32_to_cpu(es->s_log_block_size) > + (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { ext4_msg(sb, KERN_ERR, - "Unsupported filesystem blocksize %d (%d log_block_size)", - blocksize, le32_to_cpu(es->s_log_block_size)); + "Invalid log block size: %u", + le32_to_cpu(es->s_log_block_size)); goto failed_mount; } + if (le32_to_cpu(es->s_log_cluster_size) > + (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { + ext4_msg(sb, KERN_ERR, + "Invalid log cluster size: %u", + le32_to_cpu(es->s_log_cluster_size)); + goto failed_mount; + } + + blocksize = EXT4_MIN_BLOCK_SIZE << le32_to_cpu(es->s_log_block_size); + + if (blocksize == PAGE_SIZE) + set_opt(sb, DIOREAD_NOLOCK); if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) { sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE; @@ -4416,21 +4423,6 @@ static int ext4_fill_super(struct super_ if (!ext4_feature_set_ok(sb, (sb_rdonly(sb)))) goto failed_mount; - if (le32_to_cpu(es->s_log_block_size) > - (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { - ext4_msg(sb, KERN_ERR, - "Invalid log block size: %u", - le32_to_cpu(es->s_log_block_size)); - goto failed_mount; - } - if (le32_to_cpu(es->s_log_cluster_size) > - (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { - ext4_msg(sb, KERN_ERR, - "Invalid log cluster size: %u", - le32_to_cpu(es->s_log_cluster_size)); - goto failed_mount; - } - if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { ext4_msg(sb, KERN_ERR, "Number of reserved GDT blocks insanely large: %d",