fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

    sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset().  Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32.  That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.

Fixes: a3ab7155ea21 ("omfs: add directory routines")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 701ed85d98310f57f7f1d09415fb4031da89f4d5..23aa3f54aaba602e4286420ae1bb45c75dcf52b4 100644 (file)
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -513,6 +513,12 @@ static int omfs_fill_super(struct super_block *sb, struct fs_context *fc)
                goto out_brelse_bh;
        }
 
+       if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+               printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+                       sbi->s_sys_blocksize);
+               goto out_brelse_bh;
+       }
+
        if (sbi->s_blocksize < sbi->s_sys_blocksize ||
            sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
                printk(KERN_ERR "omfs: block size (%d) is out of range\n",