In gfs2_check_sb(), no validation checks are performed with regards to
the size of the superblock.
syzkaller detected a slab-out-of-bounds bug that was primarily caused
because the block size for a superblock was set to zero.
A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE.
Performing validation checks and ensuring that the size of the superblock
is valid fixes this bug.
Reported-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com
Tested-by: syzbot+af90d47a37376844e...@syzkaller.appspotmail.com
Suggested-by: Andrew Price <anpr...@redhat.com>
Signed-off-by: Anant Thazhemadam <anant.thazhema...@gmail.com>
---
Changes in v2:
* Completely dropped the changes proposed in v1. Instead,
validity checks for superblock size have been introduced.
(Suggested by Andrew Price<anpr...@redhat.com>)
* Addded a "Suggested-by" tag accrediting the patch idea to
Andrew. If there's any issue with that, please let me know.
* Changed the commit header and commit message appropriately.
* Updated "Reported-by" and "Tested-by" tags to the same instance
of the bug that was detected earlier (non consequential change).
fs/gfs2/ops_fstype.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 6d18d2c91add..f0605fae2c4c 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent)
return -EINVAL;
}
+ /* Check if the size of the block is valid - a power of 2 between 512
and PAGE_SIZE */
+ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize &
(sb->sb_bsize - 1))) {
+ if (!silent)
+ pr_warn("Invalid superblock size\n");
+ return -EINVAL;
+ }
+
/* If format numbers match exactly, we're done. */
if (sb->sb_fs_format == GFS2_FORMAT_FS &&
--
2.25.1
