Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/fs/ext4
History
Eryu Guan e0dd30eb33 ext4: validate s_first_meta_bg at mount time 
Ralf Spenneberg reported that he hit a kernel crash when mounting a
modified ext4 image. And it turns out that kernel crashed when
calculating fs overhead (ext4_calculate_overhead()), this is because
the image has very large s_first_meta_bg (debug code shows it's
842150400), and ext4 overruns the memory in count_overhead() when
setting bitmap buffer, which is PAGE_SIZE.

ext4_calculate_overhead():
  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
  blks = count_overhead(sb, i, buf);

count_overhead():
  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
          count++;
  }

This can be reproduced easily for me by this script:

  #!/bin/bash
  rm -f fs.img
  mkdir -p /mnt/ext4
  fallocate -l 16M fs.img
  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
  mount -o loop fs.img /mnt/ext4

Fix it by validating s_first_meta_bg first at mount time, and
refusing to mount if its value exceeds the largest possible meta_bg
number.

Reported-by: Ralf Spenneberg <ralf@os-t.de>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
(cherry picked from commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe)
(minor backport adapted from cf851ad35fd1e9c7b8ed00741eca613bc1a9c8c8)

Change-Id: If183ad4a873705c9a0312087577705298b3586fe
2017-03-03 13:40:24 -07:00
..
acl.c
acl.h
balloc.c
bitmap.c
block_validity.c
dir.c
ext4.h
ext4_extents.h
ext4_jbd2.c
ext4_jbd2.h
extents.c
file.c
fsync.c
hash.c
ialloc.c ext4: fix unjournaled inode bitmap modification 2016-10-29 23:12:26 +08:00
indirect.c
inode.c fs: ext4: disable support for fallocate FALLOC_FL_PUNCH_HOLE 2016-10-31 23:29:10 +11:00
ioctl.c
Kconfig
Makefile
mballoc.c
mballoc.h
migrate.c
mmp.c
move_extent.c
namei.c ext4: avoid hang when mounting non-journal filesystems with orphan list 2016-10-29 23:12:34 +08:00
page-io.c
resize.c
super.c ext4: validate s_first_meta_bg at mount time 2017-03-03 13:40:24 -07:00
symlink.c
truncate.h
xattr.c
xattr.h
xattr_security.c
xattr_trusted.c
xattr_user.c