git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Eric Biggers <ebiggers@google.com>
	Wed, 12 Aug 2020 01:35:30 +0000 (18:35 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 19 Aug 2020 06:24:14 +0000 (08:24 +0200)
commit	a25ca5ea23ed88e4bacaba54e225bf7d73643d98
tree	1a753d8ec9eb6dfad6144bd4b4778669dfda36af	tree
parent	9a96bdae0cf289b6d90514d869a97882c25fdc6e	commit \| diff

fs/minix: reject too-large maximum file size

commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream.

If the minix filesystem tries to map a very large logical block number to
its on-disk location, block_to_path() can return offsets that are too
large, causing out-of-bounds memory accesses when accessing indirect index
blocks. This should be prevented by the check against the maximum file
size, but this doesn't work because the maximum file size is read directly
from the on-disk superblock and isn't validated itself.

Fix this by validating the maximum file size at mount time.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Qiujun Huang <anenbupt@gmail.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>