ext4: allow ext4_get_group_info() to fail
[ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ] Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device. For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL. Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k. Cc: stable@kernel.org Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Theodore Ts'o
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
371d8b8ea0
commit
100c0ad6c0
@@ -319,6 +319,22 @@ static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb,
|
||||
return (next_zero_bit < bitmap_size ? next_zero_bit : 0);
|
||||
}
|
||||
|
||||
struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
|
||||
ext4_group_t group)
|
||||
{
|
||||
struct ext4_group_info **grp_info;
|
||||
long indexv, indexh;
|
||||
|
||||
if (unlikely(group >= EXT4_SB(sb)->s_groups_count)) {
|
||||
ext4_error(sb, "invalid group %u", group);
|
||||
return NULL;
|
||||
}
|
||||
indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
|
||||
indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
|
||||
grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
|
||||
return grp_info[indexh];
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the block number which was discovered to be invalid, or 0 if
|
||||
* the block bitmap is valid.
|
||||
@@ -393,7 +409,7 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
|
||||
|
||||
if (buffer_verified(bh))
|
||||
return 0;
|
||||
if (EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
|
||||
if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
|
||||
return -EFSCORRUPTED;
|
||||
|
||||
ext4_lock_group(sb, block_group);
|
||||
|
||||
Reference in New Issue
Block a user