Skip to content

Commit

Permalink
ext4: fix potential integer overflow in alloc_flex_gd()
Browse files Browse the repository at this point in the history 
In alloc_flex_gd(), when flexbg_size is large, kmalloc size would
overflow and flex_gd->groups would point to a buffer smaller than
expected, causing OOB accesses when it is used.

Note that in ext4_resize_fs(), flexbg_size is calculated using
sbi->s_log_groups_per_flex, which is read from the disk and only bounded
to [1, 31]. The patch returns NULL for too large flexbg_size.

Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@kernel.org
  • Loading branch information
Haogang Chen authored and Theodore Ts'o committed May 28, 2012
1 parent 9d99012 commit 967ac8a
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions fs/ext4/resize.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size)
if (flex_gd == NULL)
goto out3;

if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data))
goto out2;
flex_gd->count = flexbg_size;

flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) *
Expand Down

0 comments on commit 967ac8a

Please sign in to comment.