Anant, On Wed, Oct 14, 2020 at 6:31 PM Anant Thazhemadam <anant.thazhema...@gmail.com> wrote: > In gfs2_check_sb(), no validation checks are performed with regards to > the size of the superblock. > syzkaller detected a slab-out-of-bounds bug that was primarily caused > because the block size for a superblock was set to zero. > A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. > Performing validation checks and ensuring that the size of the superblock > is valid fixes this bug. > > Reported-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com > Tested-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com > Suggested-by: Andrew Price <anpr...@redhat.com> > Signed-off-by: Anant Thazhemadam <anant.thazhema...@gmail.com> > --- > > Changes in v2: > > * Completely dropped the changes proposed in v1. Instead, > validity checks for superblock size have been introduced. > (Suggested by Andrew Price<anpr...@redhat.com>) > > * Addded a "Suggested-by" tag accrediting the patch idea to > Andrew. If there's any issue with that, please let me know. > > * Changed the commit header and commit message appropriately. > > * Updated "Reported-by" and "Tested-by" tags to the same instance > of the bug that was detected earlier (non consequential change). > > > fs/gfs2/ops_fstype.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c > index 6d18d2c91add..f0605fae2c4c 100644 > --- a/fs/gfs2/ops_fstype.c > +++ b/fs/gfs2/ops_fstype.c > @@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int > silent) > return -EINVAL; > } > > + /* Check if the size of the block is valid - a power of 2 between 512 > and PAGE_SIZE */ > + if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize & > (sb->sb_bsize - 1))) { > + if (!silent) > + pr_warn("Invalid superblock size\n"); > + return -EINVAL; > + } > +
I'll add that to for-next. Thanks, Andreas