ext4: sanity check the block and cluster size at mount time

commit 8cdf3372fe8368f56315e66bea9f35053c418093 upstream.

If the block size or cluster size is insane, reject the mount.  This
is important for security reasons (although we shouldn't be just
depending on this check).

Ref: http://www.securityfocus.com/archive/1/539661
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506
Reported-by: Borislav Petkov <bp@alien8.de>
Reported-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 08dc605bec4839c869442fc95d9b2ecbc43c7de6..7075d70b73af86e698e78766cedab2a172d4545d 100644 (file)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -234,6 +234,7 @@ struct ext4_io_submit {
 #define        EXT4_MAX_BLOCK_SIZE             65536
 #define EXT4_MIN_BLOCK_LOG_SIZE                10
 #define EXT4_MAX_BLOCK_LOG_SIZE                16
+#define EXT4_MAX_CLUSTER_LOG_SIZE      30
 #ifdef __KERNEL__
 # define EXT4_BLOCK_SIZE(s)            ((s)->s_blocksize)
 #else

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 1c239bba4344acf85a490ac1fb5ff79ad717db52..a1fed6689db2dd6d64e011c56cf11deacc9bc310 100644 (file)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3666,7 +3666,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
        if (blocksize < EXT4_MIN_BLOCK_SIZE ||
            blocksize > EXT4_MAX_BLOCK_SIZE) {
                ext4_msg(sb, KERN_ERR,
-                      "Unsupported filesystem blocksize %d", blocksize);
+                      "Unsupported filesystem blocksize %d (%d log_block_size)",
+                        blocksize, le32_to_cpu(es->s_log_block_size));
+               goto failed_mount;
+       }
+       if (le32_to_cpu(es->s_log_block_size) >
+           (EXT4_MAX_BLOCK_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+               ext4_msg(sb, KERN_ERR,
+                        "Invalid log block size: %u",
+                        le32_to_cpu(es->s_log_block_size));
                goto failed_mount;
        }
 
@@ -3788,6 +3796,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
                                 "block size (%d)", clustersize, blocksize);
                        goto failed_mount;
                }
+               if (le32_to_cpu(es->s_log_cluster_size) >
+                   (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+                       ext4_msg(sb, KERN_ERR,
+                                "Invalid log cluster size: %u",
+                                le32_to_cpu(es->s_log_cluster_size));
+                       goto failed_mount;
+               }
                sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
                        le32_to_cpu(es->s_log_block_size);
                sbi->s_clusters_per_group =