From 3e3e50fe96921c842f987f5206ee5fd79e49c23d Mon Sep 17 00:00:00 2001 From: "zhangyi (F)" Date: Wed, 28 Aug 2019 15:29:05 +0800 Subject: [PATCH] ext4: fix integer overflow when calculating commit interval hulk inclusion category: bugfix bugzilla: 16625 CVE: NA --------------------------- If user specify a large enough value of "commit=" option, it may trigger signed integer overflow which may lead to sbi->s_commit_interval becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in ../fs/ext4/super.c:1592:31 signed integer overflow: 536870912 * 1000 cannot be represented in type 'int' [...] Call trace: [...] [] ubsan_epilogue+0x34/0x9c lib/ubsan.c:166 [] handle_overflow+0x228/0x280 lib/ubsan.c:197 [] __ubsan_handle_mul_overflow+0x4c/0x68 lib/ubsan.c:218 [] handle_mount_opt fs/ext4/super.c:1592 [inline] [] parse_options+0x1724/0x1a40 fs/ext4/super.c:1773 [] ext4_remount+0x2ec/0x14a0 fs/ext4/super.c:4834 [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Link: https://patchwork.ozlabs.org/patch/1153233 Signed-off-by: zhangyi (F) Reviewed-by: Jan Kara Reviewed-by: ZhangXiaoxu Signed-off-by: zhangyi (F) Signed-off-by: Yang Yingliang Reviewed-by: Yi Zhang Signed-off-by: Yang Yingliang --- fs/ext4/super.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 244d43d3575e..3846250ebf3a 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1842,6 +1842,13 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token, } else if (token == Opt_commit) { if (arg == 0) arg = JBD2_DEFAULT_MAX_COMMIT_AGE; + if (arg > INT_MAX / HZ) { + ext4_msg(sb, KERN_ERR, + "Invalid commit interval %d, " + "must be smaller than %d", + arg, INT_MAX / HZ); + return -1; + } sbi->s_commit_interval = HZ * arg; } else if (token == Opt_debug_want_extra_isize) { sbi->s_want_extra_isize = arg; -- GitLab