From: HyungJung Joo <jhj140711@gmail.com>

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

    sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset().  Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32.  That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.

Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
---
 fs/omfs/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 90ae07c69349..834cae1e6223 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -513,6 +513,12 @@ static int omfs_fill_super(struct super_block *sb, struct fs_context *fc)
 		goto out_brelse_bh;
 	}
 
+	if (sbi->s_sys_blocksize < OMFS_DIR_START) {
+		printk(KERN_ERR "omfs: sysblock size (%d) is too small\n",
+			sbi->s_sys_blocksize);
+		goto out_brelse_bh;
+	}
+
 	if (sbi->s_blocksize < sbi->s_sys_blocksize ||
 	    sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) {
 		printk(KERN_ERR "omfs: block size (%d) is out of range\n",
-- 
2.34.1

On Tue, 17 Mar 2026 14:48:27 +0900, Hyungjung Joo wrote:
> omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
> but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).
> 
> Later, omfs_make_empty() uses
> 
>     sbi->s_sys_blocksize - OMFS_DIR_START
> 
> [...]

Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
correct.

---

Applied to the vfs-7.1.misc branch of the vfs/vfs.git tree.
Patches in the vfs-7.1.misc branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.1.misc

[1/1] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
      https://git.kernel.org/vfs/vfs/c/0621c385fda1

2026년 3월 17일 (화) PM 11:38, Christian Brauner <brauner@kernel.org>님이 작성:
> Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
> correct.

I'm sorry to forgot the fixes tag too.

Fixes: a3ab7155ea21
Cc: stable@vger.kernel.org

Thanks.