commit: 967ac8af4475ce45474800709b12137aa7634c77 From: Haogang Chen <[email protected]> Date: Mon, 28 May 2012 14:21:55 -0400 Subject: ext4: fix potential integer overflow in alloc_flex_gd()
In alloc_flex_gd(), when flexbg_size is large, kmalloc size would overflow and flex_gd->groups would point to a buffer smaller than expected, causing OOB accesses when it is used. Note that in ext4_resize_fs(), flexbg_size is calculated using sbi->s_log_groups_per_flex, which is read from the disk and only bounded to [1, 31]. The patch returns NULL for too large flexbg_size. Reviewed-by: Eric Sandeen <[email protected]> Signed-off-by: Haogang Chen <[email protected]> Signed-off-by: "Theodore Ts'o" <[email protected]> Cc: [email protected] --- fs/ext4/resize.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index a58ce7c..05c7979 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -161,6 +161,8 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) if (flex_gd == NULL) goto out3; + if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) + goto out2; flex_gd->count = flexbg_size; flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) * -- 1.7.3.4 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
