• Theodore Ts'o's avatar
    ext4: allow ext4_get_group_info() to fail · 5354b2af
    Theodore Ts'o authored
    Previously, ext4_get_group_info() would treat an invalid group number
    as BUG(), since in theory it should never happen.  However, if a
    malicious attaker (or fuzzer) modifies the superblock via the block
    device while it is the file system is mounted, it is possible for
    s_first_data_block to get set to a very large number.  In that case,
    when calculating the block group of some block number (such as the
    starting block of a preallocation region), could result in an
    underflow and very large block group number.  Then the BUG_ON check in
    ext4_get_group_info() would fire, resutling in a denial of service
    attack that can be triggered by root or someone with write access to
    the block device.
    
    For a quality of implementation perspective, it's best that even if
    the system administrator does something that they shouldn't, that it
    will not trigger a BUG.  So instead of BUG'ing, ext4_get_group_info()
    will call ext4_error and return NULL.  We also add fallback code in
    all of the callers of ext4_get_group_info() that it might NULL.
    
    Also, since ext4_get_group_info() was already borderline to be an
    inline function, un-inline it.  The results in a next reduction of the
    compiled text size of ext4 by roughly 2k.
    
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu
    Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Reviewed-by: default avatarJan Kara <jack@suse.cz>
    5354b2af
ialloc.c 44.8 KB