From patchwork Mon Feb 20 22:41:24 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: FS: ext4: fix integer overflow in alloc_flex_gd()
Date: Mon, 20 Feb 2012 12:41:24 -0000
From: Haogang Chen <haogangchen@gmail.com>
X-Patchwork-Id: 142200
Message-Id: <1329777684-18396-1-git-send-email-haogangchen@gmail.com>
To: Theodore Tso <tytso@mit.edu>, Andreas Dilger <adilger.kernel@dilger.ca>,
 linux-ext4@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, haogangchen@gmail.com

In alloc_flex_gd(), when flexbg_size is large, kmalloc size would
overflow and flex_gd->groups would point to a buffer smaller than
expected, causing OOB accesses when it is used.

Note that in ext4_resize_fs(), flexbg_size is calculated using
sbi->s_log_groups_per_flex, which is read from the disk and only bounded
to [1, 31]. The patch returns NULL for too large flexbg_size.

Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>

---
fs/ext4/resize.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index f9d948f..8601f4b 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -161,6 +161,8 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size)
 	if (flex_gd == NULL)
 		goto out3;
 
+	if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data))
+		goto out2;
 	flex_gd->count = flexbg_size;
 
 	flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) *