mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-18 16:44:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/nilfs2
History
Ryusuke Konishi d706485dff nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() 
[ Upstream commit 610a2a3d7d ]

Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount
time".

The first patch fixes a bug reported by syzbot, and the second one fixes
the remaining bug of the same kind.  Although they are triggered by the
same super block data anomaly, I divided it into the above two because the
details of the issues and how to fix it are different.

Both are required to eliminate the shift-out-of-bounds issues at mount
time.

This patch (of 2):

If the block size exponent information written in an on-disk superblock is
corrupted, nilfs_sb2_bad_offset helper function can trigger
shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn
is set):

 shift exponent 38983 is too large for 64-bit type 'unsigned long long'
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  ubsan_epilogue lib/ubsan.c:151 [inline]
  __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322
  nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]
  nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523
  init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577
  nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047
  nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317
  ...

In addition, since nilfs_sb2_bad_offset() performs multiplication without
considering the upper bound, the computation may overflow if the disk
layout parameters are not normal.

This fixes these issues by inserting preliminary sanity checks for those
parameters and by converting the comparison from one involving
multiplication and left bit-shifting to one using division and right
bit-shifting.

Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-01-18 11:41:34 +01:00
..
alloc.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
alloc.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
bmap.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
bmap.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
btnode.c nilfs2: fix lockdep warnings in page operations for btree nodes 2022-05-25 09:14:33 +02:00
btnode.h nilfs2: fix lockdep warnings in page operations for btree nodes 2022-05-25 09:14:33 +02:00
btree.c nilfs2: fix lockdep warnings in page operations for btree nodes 2022-05-25 09:14:33 +02:00
btree.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
cpfile.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
cpfile.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
dat.c nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() 2022-12-08 11:23:04 +01:00
dat.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
dir.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
direct.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
direct.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
export.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
file.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
gcinode.c nilfs2: fix lockdep warnings in page operations for btree nodes 2022-05-25 09:14:33 +02:00
ifile.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
ifile.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
inode.c nilfs2: fix use-after-free bug of struct nilfs_root 2022-10-26 13:22:17 +02:00
ioctl.c vfs: create a generic checking and prep function for FS_IOC_SETFLAGS 2019-07-01 08:25:34 -07:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mdt.c nilfs2: fix lockdep warnings during disk space reclamation 2022-05-25 09:14:33 +02:00
mdt.h nilfs2: fix lockdep warnings during disk space reclamation 2022-05-25 09:14:33 +02:00
namei.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
nilfs.h nilfs2: fix incorrect masking of permission flags for symlinks 2022-07-21 20:59:18 +02:00
page.c nilfs2: fix lockdep warnings in page operations for btree nodes 2022-05-25 09:14:33 +02:00
page.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
recovery.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
segbuf.c nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
segbuf.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
segment.c nilfs2: fix use-after-free bug of ns_writer on remount 2022-11-25 17:42:09 +01:00
segment.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
sufile.c nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty 2022-12-08 11:23:00 +01:00
sufile.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
super.c nilfs2: fix use-after-free bug of ns_writer on remount 2022-11-25 17:42:09 +01:00
sysfs.c nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group 2021-09-26 14:07:13 +02:00
sysfs.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
the_nilfs.c nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() 2023-01-18 11:41:34 +01:00
the_nilfs.h nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00