tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'vfs-7.0-rc1.minix' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Pull minix update from Christian Brauner:
"Consolidate and strengthen superblock validation in
minix_check_superblock()

The minix filesystem driver does not validate several superblock
fields before using them during mount, allowing a crafted filesystem
image to trigger out-of-bounds accesses (reported by syzbot)"

* tag 'vfs-7.0-rc1.minix' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
minix: Add required sanity checking to minix_check_superblock()

Linus Torvalds 7e01a69f 6124fa45

+29 -21
+29 -21
fs/minix/inode.c
··· 170 170 static bool minix_check_superblock(struct super_block *sb) 171 171 { 172 172 struct minix_sb_info *sbi = minix_sb(sb); 173 + unsigned long block; 173 174 174 - if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) 175 + if (sbi->s_log_zone_size != 0) { 176 + printk("minix-fs error: zone size must equal block size. " 177 + "s_log_zone_size > 0 is not supported.\n"); 175 178 return false; 179 + } 180 + 181 + if (sbi->s_ninodes < 1 || sbi->s_firstdatazone <= 4 || 182 + sbi->s_firstdatazone >= sbi->s_nzones) 183 + return false; 184 + 185 + /* Apparently minix can create filesystems that allocate more blocks for 186 + * the bitmaps than needed. We simply ignore that, but verify it didn't 187 + * create one with not enough blocks and bail out if so. 188 + */ 189 + block = minix_blocks_needed(sbi->s_ninodes, sb->s_blocksize); 190 + if (sbi->s_imap_blocks < block) { 191 + printk("MINIX-fs: file system does not have enough " 192 + "imap blocks allocated. Refusing to mount.\n"); 193 + return false; 194 + } 195 + 196 + block = minix_blocks_needed( 197 + (sbi->s_nzones - sbi->s_firstdatazone + 1), 198 + sb->s_blocksize); 199 + if (sbi->s_zmap_blocks < block) { 200 + printk("MINIX-fs: file system does not have enough " 201 + "zmap blocks allocated. Refusing to mount.\n"); 202 + return false; 203 + } 176 204 177 205 /* 178 206 * s_max_size must not exceed the block mapping limitation. This check ··· 320 292 321 293 minix_set_bit(0,sbi->s_imap[0]->b_data); 322 294 minix_set_bit(0,sbi->s_zmap[0]->b_data); 323 - 324 - /* Apparently minix can create filesystems that allocate more blocks for 325 - * the bitmaps than needed. We simply ignore that, but verify it didn't 326 - * create one with not enough blocks and bail out if so. 327 - */ 328 - block = minix_blocks_needed(sbi->s_ninodes, s->s_blocksize); 329 - if (sbi->s_imap_blocks < block) { 330 - printk("MINIX-fs: file system does not have enough " 331 - "imap blocks allocated. Refusing to mount.\n"); 332 - goto out_no_bitmap; 333 - } 334 - 335 - block = minix_blocks_needed( 336 - (sbi->s_nzones - sbi->s_firstdatazone + 1), 337 - s->s_blocksize); 338 - if (sbi->s_zmap_blocks < block) { 339 - printk("MINIX-fs: file system does not have enough " 340 - "zmap blocks allocated. Refusing to mount.\n"); 341 - goto out_no_bitmap; 342 - } 343 295 344 296 /* set up enough so that it can read an inode */ 345 297 s->s_op = &minix_sops;