fs/minix: reject too-large maximum file size - kernel/linux.git

diff options

author	Eric Biggers <ebiggers@google.com>	2020-08-12 04:35:30 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-08-21 10:48:15 +0300
commit	0900097ef667097b0a4afb0155a4f5add77ece19 (patch)
tree	5000ccbd17375b0779d79801c8861c3fc0e041af /crypto
parent	12490f06ef084bc34f5e5dbda104aa034e376f2e (diff)
download	linux-0900097ef667097b0a4afb0155a4f5add77ece19.tar.xz

fs/minix: reject too-large maximum file size

commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Qiujun Huang <anenbupt@gmail.com> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'crypto')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: