[PATCH] ext4: fix infinite loop caused by integer overflow

From: Luis Henriques (SUSE)
Date: Thu May 09 2024 - 10:53:01 EST

Next message: Theodore Ts'o: "Re: [PATCH v2 0/2] jbd2: use shrink_type type instead of bool type for __jbd2_journal_clean_checkpoint_list()"
Previous message: Amir Goldstein: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_seq_start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

An integer overflow will happen if the extent_status len is set to
EXT_MAX_BLOCKS (0xffffffff). This may cause an infinite loop in function
ext4_ext_determine_insert_hole(), easily reproducible using fstest
generic/039.

Fixes: 6430dea07e85 ("ext4: correct the hole length returned by ext4_map_blocks()")
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@xxxxxxxxx>
---
fs/ext4/extents.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index e57054bdc5fd..193121b394f9 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4064,7 +4064,7 @@ static ext4_lblk_t ext4_ext_determine_insert_hole(struct inode *inode,
* There's a delalloc extent in the hole, handle it if the delalloc
* extent is in front of, behind and straddle the queried range.
*/
- if (lblk >= es.es_lblk + es.es_len) {
+ if (lblk >= ((__u64) es.es_lblk) + es.es_len) {
/*
* The delalloc extent is in front of the queried range,
* find again from the queried start block.

Next message: Theodore Ts'o: "Re: [PATCH v2 0/2] jbd2: use shrink_type type instead of bool type for __jbd2_journal_clean_checkpoint_list()"
Previous message: Amir Goldstein: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_seq_start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]