diff options
author | Light Hsieh <light.hsieh@mediatek.com> | 2018-12-17 11:38:06 +0800 |
---|---|---|
committer | Darren Krahn <dkrahn@google.com> | 2019-07-30 11:04:24 -0700 |
commit | 4e882b1bfd0dc6323fddb2ee9cce2b936690d6a8 (patch) | |
tree | 638c090954bd1e7f717722438a4748b31f8e083f | |
parent | 94497c2ef466d2ce081045ac62f2a8f105f8a6d8 (diff) | |
download | mediatek-4e882b1bfd0dc6323fddb2ee9cce2b936690d6a8.tar.gz |
[ALPS04224666] ext4: verify the depth of extent tree in ext4_find_extent()
If there is a corupted file system where the claimed depth of the
extent tree is -1, this can cause a massive buffer overrun leading to
sadness.
https://bugzilla.kernel.org/show_bug.cgi?id=199417
Change-Id: Idf526a0cc916fcf177fa15b85dd5f4ac54f8bf4e
Signed-off-by: Light Hsieh <light.hsieh@mediatek.com>
CR-Id: ALPS04224666
Feature: [Android Default] EXT4 File System
(cherry-pick from 273f6a1fe38c7f7a4a4b1c5d4b69aeb525da7bd3)
-rw-r--r-- | fs/ext4/ext4_extents.h | 1 | ||||
-rw-r--r-- | fs/ext4/extents.c | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h index 3c9381547094..2d8e73793512 100644 --- a/fs/ext4/ext4_extents.h +++ b/fs/ext4/ext4_extents.h @@ -103,6 +103,7 @@ struct ext4_extent_header { }; #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) +#define EXT4_MAX_EXTENT_DEPTH 5 #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ (sizeof(struct ext4_extent_header) + \ diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 61d5bfc7318c..f8cd9663d9bd 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -877,6 +877,13 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, eh = ext_inode_hdr(inode); depth = ext_depth(inode); + if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { + EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", + depth); + ret = -EFSCORRUPTED; + goto err; + } + if (path) { ext4_ext_drop_refs(path); if (depth > path[0].p_maxdepth) { |