tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.

Fixes: a3ab7155ea21 ("omfs: add directory routines")
Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

HyungJung Joo and committed by
Christian Brauner 0621c385 2727d44f

+6
+6
fs/omfs/inode.c
··· 513 513 goto out_brelse_bh; 514 514 } 515 515 516 + if (sbi->s_sys_blocksize < OMFS_DIR_START) { 517 + printk(KERN_ERR "omfs: sysblock size (%d) is too small\n", 518 + sbi->s_sys_blocksize); 519 + goto out_brelse_bh; 520 + } 521 + 516 522 if (sbi->s_blocksize < sbi->s_sys_blocksize || 517 523 sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) { 518 524 printk(KERN_ERR "omfs: block size (%d) is out of range\n",