| From 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 Mon Sep 17 00:00:00 2001 |
| From: Chandan Rajendra <chandan@linux.vnet.ibm.com> |
| Date: Mon, 14 Nov 2016 21:26:26 -0500 |
| Subject: ext4: fix stack memory corruption with 64k block size |
| |
| From: Chandan Rajendra <chandan@linux.vnet.ibm.com> |
| |
| commit 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 upstream. |
| |
| The number of 'counters' elements needed in 'struct sg' is |
| super_block->s_blocksize_bits + 2. Presently we have 16 'counters' |
| elements in the array. This is insufficient for block sizes >= 32k. In |
| such cases the memcpy operation performed in ext4_mb_seq_groups_show() |
| would cause stack memory corruption. |
| |
| Fixes: c9de560ded61f |
| Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Reviewed-by: Jan Kara <jack@suse.cz> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/ext4/mballoc.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/ext4/mballoc.c |
| +++ b/fs/ext4/mballoc.c |
| @@ -2287,7 +2287,7 @@ static int ext4_mb_seq_groups_show(struc |
| struct ext4_group_info *grinfo; |
| struct sg { |
| struct ext4_group_info info; |
| - ext4_grpblk_t counters[16]; |
| + ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2]; |
| } sg; |
| |
| group--; |
