summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLight Hsieh <light.hsieh@mediatek.com>2018-12-17 11:38:06 +0800
committerDarren Krahn <dkrahn@google.com>2019-07-30 11:04:24 -0700
commit4e882b1bfd0dc6323fddb2ee9cce2b936690d6a8 (patch)
tree638c090954bd1e7f717722438a4748b31f8e083f
parent94497c2ef466d2ce081045ac62f2a8f105f8a6d8 (diff)
downloadmediatek-4e882b1bfd0dc6323fddb2ee9cce2b936690d6a8.tar.gz
[ALPS04224666] ext4: verify the depth of extent tree in ext4_find_extent()
If there is a corupted file system where the claimed depth of the extent tree is -1, this can cause a massive buffer overrun leading to sadness. https://bugzilla.kernel.org/show_bug.cgi?id=199417 Change-Id: Idf526a0cc916fcf177fa15b85dd5f4ac54f8bf4e Signed-off-by: Light Hsieh <light.hsieh@mediatek.com> CR-Id: ALPS04224666 Feature: [Android Default] EXT4 File System (cherry-pick from 273f6a1fe38c7f7a4a4b1c5d4b69aeb525da7bd3)
Diffstat
-rw-r--r--fs/ext4/ext4_extents.h1
-rw-r--r--fs/ext4/extents.c7
2 files changed, 8 insertions, 0 deletions
diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
index 3c9381547094..2d8e73793512 100644
--- a/fs/ext4/ext4_extents.h
+++ b/fs/ext4/ext4_extents.h
@@ -103,6 +103,7 @@ struct ext4_extent_header {
};
#define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
+#define EXT4_MAX_EXTENT_DEPTH 5
#define EXT4_EXTENT_TAIL_OFFSET(hdr) \
(sizeof(struct ext4_extent_header) + \
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 61d5bfc7318c..f8cd9663d9bd 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -877,6 +877,13 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
eh = ext_inode_hdr(inode);
depth = ext_depth(inode);
+ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
+ depth);
+ ret = -EFSCORRUPTED;
+ goto err;
+ }
+
if (path) {
ext4_ext_drop_refs(path);
if (depth > path[0].p_maxdepth) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 23:12:26 +0000