From nobody Mon Jun 22 22:47:37 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8CE4C433F5 for ; Tue, 15 Mar 2022 19:16:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344242AbiCOTRe (ORCPT ); Tue, 15 Mar 2022 15:17:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241304AbiCOTRb (ORCPT ); Tue, 15 Mar 2022 15:17:31 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 730AA3616C for ; Tue, 15 Mar 2022 12:16:18 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id s8so465974pfk.12 for ; Tue, 15 Mar 2022 12:16:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VTb5ul+n4WT1sbDMlrbhLBcR/t69JrkdnmjdEtDHndE=; b=gvQ9DlFYZSeKRGsPsrdJv82oAwqEruk9QS7vTAC6OKVJDyy8C1B/9E4dLMuljRdJVa 4BJkYvXrexW4Am2uV3t90FeD3+fXsA0orYHAD/A9bL6yK7N2JwPl7of52zjOfnme1A4s Y3MQ1DAG27vvHYJh/szmyrCBXRtimwCPxG51KD8ADalMLMo1UTaNB9jeRyflX9YsTWRD YjSYjVnpKgblC2S0Fj0SIAUOmGjRLXWHGmKyTzG5vGPjiTJ9rIzU5yHb743O7oiUfB1B OVPBrvlKWtYlJEubRsGF0McbDRADTEu70XtDVfpH55Zg/Vg8hX6ah1JvKzzGYBGG2AGq yeKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VTb5ul+n4WT1sbDMlrbhLBcR/t69JrkdnmjdEtDHndE=; b=EAl01aieF68U2fUN9f66xSHbJkuoJi7AdiqGeT2grS1tuJROoRET7lduxB/jRG53XU JixBb1MxEYQLCiHKRVn/ZZO9eo+kAQNFpoPm3cQXTh7Efk/z9K+30h1ZKYW7VlFbSR+a uWqSBNweJzPAL8KFM9nTqnmDbQQjhszzCkFocc7lhJYhpiRLz2tDTsmZeLlRT2wDk4J5 N4Tacc1cEhZxtB7NcEB/AELBbyWmJt9G2RDhiijpQoBJDOkYQzTh+101xMwyX6iAwHDh sllGb4V5A1N4Co35cpS9qgEcjqewnvkE4TH8r1Mx/LE0a2luCzN1U4wxsADGTgfuXvKX kEGA== X-Gm-Message-State: AOAM53028n/K+GM1cYEq2xtvsLNt130nHbB+yY5bqPlbhG7ibLyhetEZ nOrbbdJ7ySiomiEo6K95Partew== X-Google-Smtp-Source: ABdhPJwnJnRXAHrQV+u5y2rkB0kmtCrYFBeyMiZMqPSrhBWuw59JeBaV01MG2y2G7Ig/Bz5uRxNbmA== X-Received: by 2002:a05:6a00:1c73:b0:4f7:83a7:25d8 with SMTP id s51-20020a056a001c7300b004f783a725d8mr26389413pfw.85.1647371777985; Tue, 15 Mar 2022 12:16:17 -0700 (PDT) Received: from localhost.localdomain ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id g5-20020a056a001a0500b004def10341e5sm25975573pfv.22.2022.03.15.12.16.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Mar 2022 12:16:17 -0700 (PDT) From: Tadeusz Struk To: Theodore Ts'o Cc: Tadeusz Struk , Andreas Dilger , Ritesh Harjani , linux-ext4@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com Subject: [PATCH] ext4: check if offset+length is within a valid range in fallocate Date: Tue, 15 Mar 2022 12:15:45 -0700 Message-Id: <20220315191545.187366-1-tadeusz.struk@linaro.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Syzbot found an issue [1] in ext4_fallocate(). The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul, and offset 0x1000000ul, which, when added together exceed the disk size, and trigger a BUG in ext4_ind_remove_space() [3]. According to the comment doc in ext4_ind_remove_space() the 'end' parameter needs to be one block after the last block to remove. In the case when the BUG is triggered it points to the last block on a 4GB virtual disk image. This is calculated in ext4_ind_remove_space() in [4]. This patch adds a check that ensure the length + offest to be within the valid range and returns -ENOSPC error code in case it is invalid. LINK: [1] https://syzkaller.appspot.com/bug?id=3Db80bd9cf348aac724a4f4dff25= 1800106d721331 LINK: [2] https://syzkaller.appspot.com/text?tag=3DReproC&x=3D14ba0238700000 LINK: [3] https://elixir.bootlin.com/linux/v5.17-rc8/source/fs/ext4/indirec= t.c#L1244 LINK: [4] https://elixir.bootlin.com/linux/v5.17-rc8/source/fs/ext4/indirec= t.c#L1234 Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Ritesh Harjani Cc: Cc: Cc: Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality") Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Reported-by: kernel test robot --- fs/ext4/inode.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 01c9e4f743ba..dd9c35113efe 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3924,7 +3924,8 @@ int ext4_punch_hole(struct inode *inode, loff_t offse= t, loff_t length) struct super_block *sb =3D inode->i_sb; ext4_lblk_t first_block, stop_block; struct address_space *mapping =3D inode->i_mapping; - loff_t first_block_offset, last_block_offset; + loff_t first_block_offset, last_block_offset, max_length; + struct ext4_sb_info *sbi =3D EXT4_SB(inode->i_sb); handle_t *handle; unsigned int credits; int ret =3D 0, ret2 =3D 0; @@ -3967,6 +3968,16 @@ int ext4_punch_hole(struct inode *inode, loff_t offs= et, loff_t length) offset; } =20 + /* + * For punch hole the length + offset needs to be at least within + * one block before last + */ + max_length =3D sbi->s_bitmap_maxbytes - sbi->s_blocksize; + if (offset + length >=3D max_length) { + ret =3D -ENOSPC; + goto out_mutex; + } + if (offset & (sb->s_blocksize - 1) || (offset + length) & (sb->s_blocksize - 1)) { /* --=20 2.35.1