evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/fs
History
Torsten Hilbrich d32978b8f5 fs/nilfs2: fix potential underflow in call to crc32_le 
commit 63d2f95d63396059200c391ca87161897b99e74a upstream.

The value `bytes' comes from the filesystem which is about to be
mounted.  We cannot trust that the value is always in the range we
expect it to be.

Check its value before using it to calculate the length for the crc32_le
call.  It value must be larger (or equal) sumoff + 4.

This fixes a kernel bug when accidentially mounting an image file which
had the nilfs2 magic value 0x3434 at the right offset 0x406 by chance.
The bytes 0x01 0x00 were stored at 0x408 and were interpreted as a
s_bytes value of 1.  This caused an underflow when substracting sumoff +
4 (20) in the call to crc32_le.

  BUG: unable to handle kernel paging request at ffff88021e600000
  IP:  crc32_le+0x36/0x100
  ...
  Call Trace:
    nilfs_valid_sb.part.5+0x52/0x60 [nilfs2]
    nilfs_load_super_block+0x142/0x300 [nilfs2]
    init_nilfs+0x60/0x390 [nilfs2]
    nilfs_mount+0x302/0x520 [nilfs2]
    mount_fs+0x38/0x160
    vfs_kern_mount+0x67/0x110
    do_mount+0x269/0xe00
    SyS_mount+0x9f/0x100
    entry_SYSCALL_64_fastpath+0x16/0x71

Link: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Tested-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-08-10 11:49:25 +02:00
..
9p 9p: ->evict_inode() should kick out ->i_data, not ->i_mapping 2015-12-08 14:51:16 -05:00
adfs
affs affs: fix remount failure when there are no options changed 2016-06-07 18:14:32 -07:00
afs
autofs4
befs
bfs
btrfs btrfs: account for non-CoW'd blocks in btrfs_abort_transaction 2016-07-27 09:47:33 -07:00
cachefiles FS-Cache: Add missing initialization of ret in cachefiles_write_page() 2015-11-16 20:38:43 -05:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2015-11-13 09:24:40 -08:00
cifs File names with trailing period or space need special case conversion 2016-07-27 09:47:39 -07:00
coda fs/coda: fix readlink buffer overflow 2015-09-10 13:29:01 -07:00
configfs configfs: allow dynamic group creation 2015-11-20 16:17:32 -08:00
cramfs
debugfs debugfs: Make automount point inodes permanently empty 2016-05-04 14:48:41 -07:00
devpts pty: make sure super_block is still valid in final /dev/tty close 2016-02-25 12:01:14 -08:00
dlm net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
ecryptfs ecryptfs: forbid opening files without mmap handler 2016-06-24 10:18:20 -07:00
efivarfs efi: Make efivarfs entries immutable by default 2016-03-03 15:07:09 -08:00
efs
exofs osd fs: __r4w_get_page rely on PageUptodate for uptodate 2015-12-12 10:15:34 -08:00
exportfs
ext2 ext2, ext4: warn when mounting with dax enabled 2015-11-16 09:43:54 -08:00
ext4 ext4: silence UBSAN in ext4_mb_init() 2016-06-07 18:14:37 -07:00
f2fs Merge branch 'for-linus-3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-11-13 18:02:30 -08:00
fat fat: fix fake_offset handling on error path 2015-11-20 16:17:32 -08:00
freevxfs
fscache FS-Cache: Handle a write to the page immediately beyond the EOF marker 2015-11-11 02:11:02 -05:00
fuse fuse: Add reference counting for fuse_io_priv 2016-04-12 09:08:58 -07:00
gfs2 Merge branch 'for-linus-3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-11-13 18:02:30 -08:00
hfs hfs: fix B-tree corruption after insertion at position 0 2015-09-10 13:29:01 -07:00
hfsplus xattr handlers: Pass handler to operations instead of flags 2015-11-13 20:34:32 -05:00
hostfs uml: fix hostfs mknod() 2016-03-03 15:07:12 -08:00
hpfs hpfs: implement the show_options method 2016-06-01 12:15:54 -07:00
hugetlbfs fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() 2016-02-25 12:01:22 -08:00
isofs get_rock_ridge_filename(): handle malformed NM entries 2016-05-18 17:06:54 -07:00
jbd2 jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path 2016-04-12 09:08:53 -07:00
jffs2 jffs2: reduce the breakage on recovery from halfway failed rename() 2016-03-16 08:42:58 -07:00
jfs fs/jfs: remove unnecessary new_valid_dev() checks 2015-11-09 15:11:24 -08:00
kernfs
lockd Mainly smaller bugfixes and cleanup. We're still finding some bugs from 2015-11-11 20:11:28 -08:00
logfs mm, fs: introduce mapping_gfp_constraint() 2015-11-06 17:50:42 -08:00
minix
ncpfs ncpfs: fix a braino in OOM handling in ncp_fill_cache() 2016-03-16 08:42:59 -07:00
nfs NFS: Fix another OPEN_DOWNGRADE bug 2016-07-27 09:47:30 -07:00
nfs_common
nfsd nfsd: check permissions when setting ACLs 2016-07-27 09:47:30 -07:00
nilfs2 fs/nilfs2: fix potential underflow in call to crc32_le 2016-08-10 11:49:25 +02:00
nls
notify inotify: actually check for invalid bits in sys_inotify_add_watch() 2015-11-05 19:34:48 -08:00
ntfs mm, fs: introduce mapping_gfp_constraint() 2015-11-06 17:50:42 -08:00
ocfs2 ocfs2: fix posix_acl_create deadlock 2016-05-18 17:06:44 -07:00
omfs
openpromfs
overlayfs ovl: verify upper dentry before unlink and rename 2016-07-27 09:47:40 -07:00
proc proc: prevent stacking filesystems on top 2016-06-24 10:18:20 -07:00
pstore pstore: fix code comment to match code 2015-11-02 13:41:52 -08:00
qnx4
qnx6
quota quota: Fix possible GPF due to uninitialised pointers 2016-04-12 09:08:56 -07:00
ramfs mm, fs: obey gfp_mapping for add_to_page_cache() 2015-10-16 11:42:28 -07:00
reiserfs Merge branch 'for-linus-3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-11-13 18:02:30 -08:00
romfs
squashfs squashfs: xattr simplifications 2015-11-13 20:34:33 -05:00
sysfs platform/chrome: Branch for v4.4 2015-11-13 21:53:18 -08:00
sysv fix sysvfs symlinks 2015-11-23 21:11:08 -05:00
tracefs tracefs: Fix refcount imbalance in start_creating() 2015-11-04 22:13:45 -05:00
ubifs UBIFS: Implement ->migratepage() 2016-07-27 09:47:31 -07:00
udf udf: Check output buffer length when converting name to CS0 2016-02-25 12:01:18 -08:00
ufs
xfs xfs: handle dquot buffer readahead in log recovery correctly 2016-06-07 18:14:38 -07:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-11-11 09:45:24 -08:00
binfmt_elf_fdpic.c libnvdimm for 4.4: 2015-11-10 12:07:22 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c block: detach bdev inode from its wb in __blkdev_put() 2015-12-04 11:02:17 -07:00
buffer.c vfs: remove unused wrapper block_page_mkwrite() 2015-11-11 02:19:33 -05:00
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c i2c-dev: Fix typo in ioctl name reference 2015-10-23 23:26:43 +02:00
coredump.c fs/coredump: prevent fsuid=0 dumps into user-controlled directories 2016-04-12 09:08:58 -07:00
dax.c dax: disable pmd mappings 2015-11-16 23:54:45 -08:00
dcache.c fix d_walk()/non-delayed __d_free() race 2016-06-24 10:18:21 -07:00
dcookies.c
direct-io.c block: fix use-after-free in dio_bio_complete 2016-03-03 15:07:28 -08:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c
fcntl.c
fhandle.c fs/coredump: prevent fsuid=0 dumps into user-controlled directories 2016-04-12 09:08:58 -07:00
file.c vfs: clear remainder of 'full_fds_bits' in dup_fd() 2015-11-05 23:05:32 -08:00
file_table.c
filesystems.c
fs-writeback.c writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode 2016-04-12 09:09:04 -07:00
fs_pin.c
fs_struct.c
inode.c fs: fix inode.c kernel-doc warning 2015-11-11 02:18:27 -05:00
internal.h
ioctl.c
Kconfig dax: disable pmd mappings 2015-11-16 23:54:45 -08:00
Kconfig.binfmt
libfs.c
locks.c locks: fix unlock when fcntl_setlk races with a close 2016-03-03 15:07:12 -08:00
Makefile ext4: promote ext4 over ext2 in the default probe order 2015-10-15 10:33:21 -04:00
mbcache.c
mount.h
mpage.c mm, fs: introduce mapping_gfp_constraint() 2015-11-06 17:50:42 -08:00
namei.c atomic_open(): fix the handling of create_error 2016-05-18 17:06:51 -07:00
namespace.c mnt: If fs_fully_visible fails call put_filesystem. 2016-07-27 09:47:28 -07:00
no-block.c
nsfs.c fs/seq_file: convert int seq_vprint/seq_printf/etc... returns to void 2015-09-11 15:21:34 -07:00
open.c vfs: add vfs_select_inode() helper 2016-05-18 17:06:48 -07:00
pipe.c pipe: limit the per-user amount of pages allocated in pipes 2016-06-07 18:14:35 -07:00
pnode.c propogate_mnt: Handle the first propogated copy being a slave 2016-05-11 11:21:19 +02:00
pnode.h
posix_acl.c posix_acl: Add set_posix_acl 2016-07-27 09:47:30 -07:00
proc_namespace.c vfs: show_vfsstat: do not ignore errors from show_devname method 2016-04-12 09:08:55 -07:00
read_write.c
readdir.c
select.c
seq_file.c fs, seqfile: always allow oom killer 2015-11-06 17:50:42 -08:00
signalfd.c
splice.c splice: handle zero nr_pages in splice_to_pipe() 2016-04-12 09:08:55 -07:00
stack.c
stat.c fs/stat.c: remove unnecessary new_valid_dev() check 2015-11-09 15:11:24 -08:00
statfs.c
super.c writeback: flush inode cgroup wb switches instead of pinning super_block 2016-03-09 15:34:52 -08:00
sync.c fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE writeback 2015-11-06 17:50:42 -08:00
timerfd.c timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper 2016-02-25 12:01:25 -08:00
userfaultfd.c userfaultfd: don't block on the last VM updates at exit time 2016-03-16 08:43:01 -07:00
utimes.c
xattr.c 9p: xattr simplifications 2015-11-13 20:34:33 -05:00