nilfs2: reject devices with insufficient block count
authorRyusuke Konishi <konishi.ryusuke@gmail.com>
Fri, 26 May 2023 02:13:32 +0000 (11:13 +0900)
committerAndrew Morton <akpm@linux-foundation.org>
Mon, 12 Jun 2023 18:31:51 +0000 (11:31 -0700)
commit92c5d1b860e9581d64baca76779576c0ab0d943d
tree3ec402eb1d478fd4d858c1db1346cd9e32bef15f
parent50d927880e0f90d5cb25e897e9d03e5edacc79a8
nilfs2: reject devices with insufficient block count

The current sanity check for nilfs2 geometry information lacks checks for
the number of segments stored in superblocks, so even for device images
that have been destructively truncated or have an unusually high number of
segments, the mount operation may succeed.

This causes out-of-bounds block I/O on file system block reads or log
writes to the segments, the latter in particular causing
"a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to
hang.

Fix this issue by checking the number of segments stored in the superblock
and avoiding mounting devices that can cause out-of-bounds accesses.  To
eliminate the possibility of overflow when calculating the number of
blocks required for the device from the number of segments, this also adds
a helper function to calculate the upper bound on the number of segments
and inserts a check using it.

Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
fs/nilfs2/the_nilfs.c