Anant,
On Wed, Oct 14, 2020 at 6:31 PM Anant Thazhemadam
<anant.thazhema...@gmail.com> wrote:
> In gfs2_check_sb(), no validation checks are performed with regards to
> the size of the superblock.
> syzkaller detected a slab-out-of-bounds bug that was primarily caused
> because the block size for a superblock was set to zero.
> A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE.
> Performing validation checks and ensuring that the size of the superblock
> is valid fixes this bug.
>
> Reported-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com
> Tested-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com
> Suggested-by: Andrew Price <anpr...@redhat.com>
> Signed-off-by: Anant Thazhemadam <anant.thazhema...@gmail.com>
> ---
>
> Changes in v2:
>
> * Completely dropped the changes proposed in v1. Instead,
> validity checks for superblock size have been introduced.
> (Suggested by Andrew Price<anpr...@redhat.com>)
>
> * Addded a "Suggested-by" tag accrediting the patch idea to
> Andrew. If there's any issue with that, please let me know.
>
> * Changed the commit header and commit message appropriately.
>
> * Updated "Reported-by" and "Tested-by" tags to the same instance
> of the bug that was detected earlier (non consequential change).
>
>
> fs/gfs2/ops_fstype.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
> index 6d18d2c91add..f0605fae2c4c 100644
> --- a/fs/gfs2/ops_fstype.c
> +++ b/fs/gfs2/ops_fstype.c
> @@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int
> silent)
> return -EINVAL;
> }
>
> + /* Check if the size of the block is valid - a power of 2 between 512
> and PAGE_SIZE */
> + if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize &
> (sb->sb_bsize - 1))) {
> + if (!silent)
> + pr_warn("Invalid superblock size\n");
> + return -EINVAL;
> + }
> +
I'll add that to for-next.
Thanks,
Andreas
