{"id":809880,"url":"http://patchwork.ozlabs.org/api/1.2/patches/809880/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/patch/20170905003407.8766-1-tytso@mit.edu/","project":{"id":8,"url":"http://patchwork.ozlabs.org/api/1.2/projects/8/?format=json","name":"Linux ext4 filesystem development","link_name":"linux-ext4","list_id":"linux-ext4.vger.kernel.org","list_email":"linux-ext4@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170905003407.8766-1-tytso@mit.edu>","list_archive_url":null,"date":"2017-09-05T00:34:07","name":"e2fsck, libext2fs: add checks for insanely large file systems","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"dfd546c33f3cfe518f08bcd973b341a9a5727baf","submitter":{"id":350,"url":"http://patchwork.ozlabs.org/api/1.2/people/350/?format=json","name":"Theodore Tso","email":"tytso@mit.edu"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-ext4/patch/20170905003407.8766-1-tytso@mit.edu/mbox/","series":[{"id":1471,"url":"http://patchwork.ozlabs.org/api/1.2/series/1471/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/list/?series=1471","date":"2017-09-05T00:34:07","name":"e2fsck, libext2fs: add checks for insanely large file systems","version":1,"mbox":"http://patchwork.ozlabs.org/series/1471/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/809880/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/809880/checks/","tags":{},"related":[],"headers":{"Return-Path":"<linux-ext4-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=linux-ext4-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=thunk.org header.i=@thunk.org\n\theader.b=\"nAbvAPzP\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmSQL1Dhjz9s4s\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue,  5 Sep 2017 10:34:18 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1754049AbdIEAeP (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tMon, 4 Sep 2017 20:34:15 -0400","from imap.thunk.org ([74.207.234.97]:56278 \"EHLO imap.thunk.org\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1754045AbdIEAeP (ORCPT <rfc822;linux-ext4@vger.kernel.org>);\n\tMon, 4 Sep 2017 20:34:15 -0400","from root (helo=callcc.thunk.org)\n\tby imap.thunk.org with local-esmtp (Exim 4.84_2)\n\t(envelope-from <tytso@thunk.org>)\n\tid 1dp1ok-0005Un-C9; Tue, 05 Sep 2017 00:34:14 +0000","by callcc.thunk.org (Postfix, from userid 15806)\n\tid 53716C008AB; Mon,  4 Sep 2017 20:34:13 -0400 (EDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org;\n\ts=ef5046eb; h=Message-Id:Date:Subject:Cc:To:From;\n\tbh=8xpG7NybRD+6F1UYUWtvvkTvNizX4Dd8mZTL+6XKroo=; \n\tb=nAbvAPzPMzB3zrHOSgWPza8qZmbctjLa7ZU4xiwg2Gc1giGlgQ5obEy6ZwGkVb2Stca9Txu/pwNNhW2uqANEYXz2BM04W+N785FT/kXXdY0g3wGswsz3vg+/5p2BRuCtrdUhlDOZ0fcWIp4cTjL+p0SiSJLknhPpwclFlleWGA4=;","From":"Theodore Ts'o <tytso@mit.edu>","To":"Ext4 Developers List <linux-ext4@vger.kernel.org>","Cc":"Theodore Ts'o <tytso@mit.edu>","Subject":"[PATCH] e2fsck,\n\tlibext2fs: add checks for insanely large file systems","Date":"Mon,  4 Sep 2017 20:34:07 -0400","Message-Id":"<20170905003407.8766-1-tytso@mit.edu>","X-Mailer":"git-send-email 2.11.0.rc0.7.gbe5a750","X-SA-Exim-Connect-IP":"<locally generated>","X-SA-Exim-Mail-From":"tytso@thunk.org","X-SA-Exim-Scanned":"No (on imap.thunk.org); SAEximRunCond expanded to false","Sender":"linux-ext4-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<linux-ext4.vger.kernel.org>","X-Mailing-List":"linux-ext4@vger.kernel.org"},"content":"If the blocks count field is too large, this can cause numberic\noverflows which can result in buffer overflows.\n\nAddresses-Debian-Bug: #873757\n\nSigned-off-by: Theodore Ts'o <tytso@mit.edu>\nReported-by: Jakub Wilk <jwilk@jwilk.net>\n---\n e2fsck/super.c      | 31 +++++++++++++++++++++++++++++--\n lib/ext2fs/openfs.c | 12 +++++++++---\n 2 files changed, 38 insertions(+), 5 deletions(-)","diff":"diff --git a/e2fsck/super.c b/e2fsck/super.c\nindex 8153f2bfe..47c89c56f 100644\n--- a/e2fsck/super.c\n+++ b/e2fsck/super.c\n@@ -41,6 +41,23 @@ static void check_super_value(e2fsck_t ctx, const char *descr,\n \t}\n }\n \n+static void check_super_value64(e2fsck_t ctx, const char *descr,\n+\t\t\t\t__u64 value, int flags,\n+\t\t\t\t__u64 min_val, __u64 max_val)\n+{\n+\tstruct\t\tproblem_context pctx;\n+\n+\tif ((flags & MIN_CHECK && value < min_val) ||\n+\t    (flags & MAX_CHECK && value > max_val) ||\n+\t    (flags & LOG2_CHECK && (value & (value - 1)) != 0)) {\n+\t\tclear_problem_context(&pctx);\n+\t\tpctx.num = value;\n+\t\tpctx.str = descr;\n+\t\tfix_problem(ctx, PR_0_MISC_CORRUPT_SUPER, &pctx);\n+\t\tctx->flags |= E2F_FLAG_ABORT; /* never get here! */\n+\t}\n+}\n+\n /*\n  * helper function to release an inode\n  */\n@@ -468,6 +485,7 @@ void check_super_block(e2fsck_t ctx)\n \tproblem_t\tproblem;\n \tblk64_t\tblocks_per_group = fs->super->s_blocks_per_group;\n \t__u32\tbpg_max, cpg_max;\n+\t__u64\tblks_max;\n \tint\tinodes_per_block;\n \tint\tinode_size;\n \tint\taccept_time_fudge;\n@@ -497,6 +515,15 @@ void check_super_block(e2fsck_t ctx)\n \tctx->invalid_inode_table_flag = (int *) e2fsck_allocate_memory(ctx,\n \t\tsizeof(int) * fs->group_desc_count, \"invalid_inode_table\");\n \n+\tblks_max = (1ULL << 32) * EXT2_MAX_BLOCKS_PER_GROUP(fs->super);\n+\tif (ext2fs_has_feature_64bit(fs->super)) {\n+\t\tif (blks_max > ((1ULL << 48) - 1))\n+\t\t\tblks_max = (1ULL << 48) - 1;\n+\t} else {\n+\t\tif (blks_max > ((1ULL << 32) - 1))\n+\t\t\tblks_max = (1ULL << 32) - 1;\n+\t}\n+\n \tclear_problem_context(&pctx);\n \n \t/*\n@@ -504,8 +531,8 @@ void check_super_block(e2fsck_t ctx)\n \t */\n \tcheck_super_value(ctx, \"inodes_count\", sb->s_inodes_count,\n \t\t\t  MIN_CHECK, 1, 0);\n-\tcheck_super_value(ctx, \"blocks_count\", ext2fs_blocks_count(sb),\n-\t\t\t  MIN_CHECK, 1, 0);\n+\tcheck_super_value64(ctx, \"blocks_count\", ext2fs_blocks_count(sb),\n+\t\t\t    MIN_CHECK | MAX_CHECK, 1, blks_max);\n \tcheck_super_value(ctx, \"first_data_block\", sb->s_first_data_block,\n \t\t\t  MAX_CHECK, 0, ext2fs_blocks_count(sb));\n \tcheck_super_value(ctx, \"log_block_size\", sb->s_log_block_size,\ndiff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c\nindex da03bc147..f74cd2458 100644\n--- a/lib/ext2fs/openfs.c\n+++ b/lib/ext2fs/openfs.c\n@@ -122,6 +122,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,\n \tchar\t\t*dest, *cp;\n \tint\t\tgroup_zero_adjust = 0;\n \tint\t\tinode_size;\n+\t__u64\t\tgroups_cnt;\n #ifdef WORDS_BIGENDIAN\n \tunsigned int\tgroups_per_block;\n \tstruct ext2_group_desc *gdp;\n@@ -371,9 +372,14 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,\n \t\tretval = EXT2_ET_CORRUPT_SUPERBLOCK;\n \t\tgoto cleanup;\n \t}\n-\tfs->group_desc_count = ext2fs_div64_ceil(ext2fs_blocks_count(fs->super) -\n-\t\t\t\t\t\t fs->super->s_first_data_block,\n-\t\t\t\t\t\t blocks_per_group);\n+\tgroups_cnt = ext2fs_div64_ceil(ext2fs_blocks_count(fs->super) -\n+\t\t\t\t       fs->super->s_first_data_block,\n+\t\t\t\t       blocks_per_group);\n+\tif (groups_cnt >> 32) {\n+\t\tretval = EXT2_ET_CORRUPT_SUPERBLOCK;\n+\t\tgoto cleanup;\n+\t}\n+\tfs->group_desc_count = \tgroups_cnt;\n \tif (fs->group_desc_count * EXT2_INODES_PER_GROUP(fs->super) !=\n \t    fs->super->s_inodes_count) {\n \t\tretval = EXT2_ET_CORRUPT_SUPERBLOCK;\n","prefixes":[]}