From nobody Tue Apr 7 01:02:59 2026 Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com [209.85.128.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 397EE273D8F for ; Tue, 17 Mar 2026 05:48:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773726517; cv=none; b=myzoBS9JjgfzlYUv+5TQkPL7wnUzbL7piJIesV8G8vP198u5Eh2TYOmWS0dtoPHxO8XND8ZThi2MT8rI5hX70Qfq0GaHjFvESkjtIdyN87wgSlS7wABl3jywXUaje8MtFw3IUmEYe3gt1aeLkTCKucXnawQPW/EhLtUjIgca9rs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773726517; c=relaxed/simple; bh=IkdocP1gqcVdbKKNIl7sGS8Pag8rXWvYg1N8eq2oB6k=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Rmn7fqnZpuISedPHfPoBKw/EcH0IKnbkm3/2z7aDvGEJpEvvKWps1jzgas3kLv5eQwGkqGIpCsf13nxV/ucUVT5E+JR+qSZ63Si6brvIbcNAa1FOCO2+1IhOe4Nl3WJp5DYneJTvMtwoF0femgpTuqGmDBk4PhYk4qXvMDqwURk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RDBs0ZoR; arc=none smtp.client-ip=209.85.128.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RDBs0ZoR" Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-79a46ebe2beso17811357b3.2 for ; Mon, 16 Mar 2026 22:48:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773726515; x=1774331315; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ub+jVjhRnyysL200teLXo62X+Va6ILGAsH5ZVzWNolM=; b=RDBs0ZoRnVIS2ccgNRTVb2EVDXHUuGXYLQK1JnvU+57iJPnf+wabgQzg04zo5hF6EO Oh+ZrsY4efekLW8gBjNm+g/tp489IW8cJMwcUJa3lXWw6jigonGJpVDeMwckWhDA/WpK QFFyBRZgDPlrHT4J3rxcIvAkuENRGQ9Y0QyNVU6MOCHrCO0QXY9kaG4ziVMGRC+ZWLOz DL2hQjVtm31QUWnYZNfvZA0p3rRZPv0duRKKtNQSN/GdH1MUfDUGLDDHsplRs/fj8Mah 00LJcgRyQAp9V5wKO8aHRgtYXvmPP/oz2o5kc6CbsHca6XRk8Bb2R0Y+3VLMIhh6vn5N PKtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773726515; x=1774331315; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ub+jVjhRnyysL200teLXo62X+Va6ILGAsH5ZVzWNolM=; b=VjhhhtiAWQc9PKrqxhMiBC+b/Pck9KHIxuh5hS9cFYUMQ12H0b+m+grYfvE4TdFZ4W VTuGDM9uGy8iG/IR8hD+OvuPjjrn6zw1RlD81bc2QnCMB1DrLwsNB7uDGcXTpDA8tz26 I6vIFTv72UlSP7WTwuhn3gcd0ExaFYfY21BnerABYGsEVNsqIMHlp+o8XJNKEZnkTTmK wkDtbJdkp+4mUve/He7Usiv0z5jnWfSueVSdYAD8XPSDSxGnUUqJi9ucsxe2pznFA5OJ 4MtnLy6350YHhAx5DLKA9Sdrt4Lg/VsvffPtpngLLKovhUyLmoKE1Dm80KUul+4gGASM kamg== X-Forwarded-Encrypted: i=1; AJvYcCWUiYoYf61cjqIr/0M7Xh++8NvCUaIRhXJbyTqoZ6OYx6mdb6sFtLxpBfwDConoTm2Dj8ZC8Xv9VfxnADI=@vger.kernel.org X-Gm-Message-State: AOJu0YyutlvAtoPezqVdL6qThNXnzb4fZZK5PPiCZs0gtexcQknZfz0Q 7lxAzNs5jRBKT/pGGlZbro0MZsDStfksgJuoG7n7xtoQieMItSAIMRUx X-Gm-Gg: ATEYQzyqF0Zt9/J/baJeo4+YykYKqz3t+1ljvblHMuayzyOq2xDnkIdThdgif21oiXY G+FXAW6J1JqSnXeYHdGyW4SyWE//PNDXmaJAk4SMG1ZHpSiCmdP84PwhaqCYYRB1GuBzATE+o4v T5UMKX50rQdIHtq++r82Jsp1eS6IeWTnG5nUzzC954g5XpCjR4Rgw/EtugM59LDRVMujsYdI0ok HpR9jascxQiIE4os5B9rWXz1dyhX7/WnjXG0Stsc/DXxa8DWXP6vL2DvPz0Mhd/pPjMi6ygt4Qt UbHASpSa1oP7PmwDj+mcP2b3i8WYeKkwTMe89Vooy687Ph4F7d58OqjS/kBWXBBCQjejPFVZXCS el4wYUwsk7qgERtu2U4oKVjUP5Q9H7e/RyBLDiBr/Z9r8PF5kDcjA5tFIBliff4WYgE8JwFFvIR 6y8pu74DpMqmZPdIPnbZXFk2Wg24w+rEQ= X-Received: by 2002:a05:690c:4484:b0:797:dad6:6ed with SMTP id 00721157ae682-79a1c1c0e2fmr151366087b3.46.1773726515267; Mon, 16 Mar 2026 22:48:35 -0700 (PDT) Received: from JooHJ-PC.localdomain ([163.152.3.130]) by smtp.gmail.com with ESMTPSA id 00721157ae682-79a502d4caesm25502317b3.11.2026.03.16.22.48.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Mar 2026 22:48:34 -0700 (PDT) From: Hyungjung Joo To: me@bobcopeland.com, linux-karma-devel@lists.sourceforge.net Cc: viro@zeniv.linux.org.uk, brauner@kernel.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, HyungJung Joo Subject: [PATCH] fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START Date: Tue, 17 Mar 2026 14:48:27 +0900 Message-Id: <20260317054827.1822061-1-jhj140711@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: HyungJung Joo omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 =3D 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed. Signed-off-by: Hyungjung Joo --- fs/omfs/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c index 90ae07c69349..834cae1e6223 100644 --- a/fs/omfs/inode.c +++ b/fs/omfs/inode.c @@ -513,6 +513,12 @@ static int omfs_fill_super(struct super_block *sb, str= uct fs_context *fc) goto out_brelse_bh; } =20 + if (sbi->s_sys_blocksize < OMFS_DIR_START) { + printk(KERN_ERR "omfs: sysblock size (%d) is too small\n", + sbi->s_sys_blocksize); + goto out_brelse_bh; + } + if (sbi->s_blocksize < sbi->s_sys_blocksize || sbi->s_blocksize > OMFS_MAX_BLOCK_SIZE) { printk(KERN_ERR "omfs: block size (%d) is out of range\n", --=20 2.34.1