| From: Theodore Ts'o <tytso@mit.edu> |
| Date: Fri, 18 Nov 2016 13:37:47 -0500 |
| Subject: ext4: add sanity checking to count_overhead() |
| |
| commit c48ae41bafe31e9a66d8be2ced4e42a6b57fa814 upstream. |
| |
| The commit "ext4: sanity check the block and cluster size at mount |
| time" should prevent any problems, but in case the superblock is |
| modified while the file system is mounted, add an extra safety check |
| to make sure we won't overrun the allocated buffer. |
| |
| Signed-off-by: Theodore Ts'o <tytso@mit.edu> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/ext4/super.c | 11 ++++++++--- |
| 1 file changed, 8 insertions(+), 3 deletions(-) |
| |
| --- a/fs/ext4/super.c |
| +++ b/fs/ext4/super.c |
| @@ -3180,10 +3180,15 @@ static int count_overhead(struct super_b |
| ext4_set_bit(s++, buf); |
| count++; |
| } |
| - for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { |
| - ext4_set_bit(EXT4_B2C(sbi, s++), buf); |
| - count++; |
| + j = ext4_bg_num_gdb(sb, grp); |
| + if (s + j > EXT4_BLOCKS_PER_GROUP(sb)) { |
| + ext4_error(sb, "Invalid number of block group " |
| + "descriptor blocks: %d", j); |
| + j = EXT4_BLOCKS_PER_GROUP(sb) - s; |
| } |
| + count += j; |
| + for (; j > 0; j--) |
| + ext4_set_bit(EXT4_B2C(sbi, s++), buf); |
| } |
| if (!count) |
| return 0; |
