Commit 3ebacb05 authored by Mikulas Patocka's avatar Mikulas Patocka Committed by Linus Torvalds

hpfs: better test for errors

The test if bitmap access is out of bound could errorneously pass if the
device size is divisible by 16384 sectors and we are asking for one bitmap
after the end.

Check for invalid size in the superblock. Invalid size could cause integer
overflows in the rest of the code.
Signed-off-by: default avatarMikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 8bb495e3
...@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_block *s, unsigned bmp_block, ...@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_block *s, unsigned bmp_block,
struct quad_buffer_head *qbh, char *id) struct quad_buffer_head *qbh, char *id)
{ {
secno sec; secno sec;
if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
return NULL; return NULL;
} }
......
...@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent) ...@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent)
sbi->sb_cp_table = NULL; sbi->sb_cp_table = NULL;
sbi->sb_c_bitmap = -1; sbi->sb_c_bitmap = -1;
sbi->sb_max_fwd_alloc = 0xffffff; sbi->sb_max_fwd_alloc = 0xffffff;
if (sbi->sb_fs_size >= 0x80000000) {
hpfs_error(s, "invalid size in superblock: %08x",
(unsigned)sbi->sb_fs_size);
goto bail4;
}
/* Load bitmap directory */ /* Load bitmap directory */
if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
goto bail4; goto bail4;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment