ext4: fix potential integer overflow in alloc_flex_gd() In alloc_flex_gd(), when flexbg_size is large, kmalloc size would overflow and flex_gd->groups would point to a buffer smaller than expected, causing OOB accesses when it is used. Note that in ext4_resize_fs(), flexbg_size is calculated using sbi->s_log_groups_per_flex, which is read from the disk and only bounded to [1, 31]. The patch returns NULL for too large flexbg_size. Reviewed-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Haogang Chen <haogangchen@gmail.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: stable@kernel.org

commit: 967ac8af4475ce45474800709b12137aa7634c77 [log] [tgz]
author: Haogang Chen <haogangchen@gmail.com> Mon May 28 14:21:55 2012 -0400
committer: Theodore Ts'o <tytso@mit.edu> Mon May 28 14:21:55 2012 -0400
tree: b40d665c1620e801f313ff516c7986e8c3cdbd59
parent: 9d99012ff26380a09092a9fddbb6e5f996dc631f [diff] [blame]
diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
index a58ce7c..05c7979 100644
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c

@@ -161,6 +161,8 @@
 	if (flex_gd == NULL)
 		goto out3;
 
+	if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_flex_group_data))
+		goto out2;
 	flex_gd->count = flexbg_size;
 
 	flex_gd->groups = kmalloc(sizeof(struct ext4_new_group_data) *
commit	967ac8af4475ce45474800709b12137aa7634c77	[log] [tgz]
author	Haogang Chen <haogangchen@gmail.com>	Mon May 28 14:21:55 2012 -0400
committer	Theodore Ts'o <tytso@mit.edu>	Mon May 28 14:21:55 2012 -0400
tree	b40d665c1620e801f313ff516c7986e8c3cdbd59
parent	9d99012ff26380a09092a9fddbb6e5f996dc631f [diff] [blame]