diff options
| author | Haogang Chen <haogangchen@gmail.com> | 2012-05-28 14:21:55 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-06-10 00:36:16 +0900 |
| commit | a9ea4481033197d29c606a935b24336a96cb3082 (patch) | |
| tree | d1236a43ca42a124c272e9fb5ca3a15bbd573d90 | |
| parent | 3c7f096206323ae4c9ad3db62fece0b19df21532 (diff) | |
| download | linux-3.10-a9ea4481033197d29c606a935b24336a96cb3082.tar.gz linux-3.10-a9ea4481033197d29c606a935b24336a96cb3082.tar.bz2 linux-3.10-a9ea4481033197d29c606a935b24336a96cb3082.zip | |
ext4: fix potential integer overflow in alloc_flex_gd()
commit 967ac8af4475ce45474800709b12137aa7634c77 upstream.
In alloc_flex_gd(), when flexbg_size is large, kmalloc size would
overflow and flex_gd->groups would point to a buffer smaller than
expected, causing OOB accesses when it is used.
Note that in ext4_resize_fs(), flexbg_size is calculated using
sbi->s_log_groups_per_flex, which is read from the disk and only bounded
to [1, 31]. The patch returns NULL for too large flexbg_size.
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/ext4/resize.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index 59fa0be2725..53589ff8824 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -161,6 +161,8 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) if (flex_gd == NULL) goto out3; + if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data)) + goto out2; flex_gd->count = flexbg_size; flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) * |