• Ryusuke Konishi's avatar
    nilfs2: fix inode number range checks · e2fec219
    Ryusuke Konishi authored
    Patch series "nilfs2: fix potential issues related to reserved inodes".
    
    This series fixes one use-after-free issue reported by syzbot, caused by
    nilfs2's internal inode being exposed in the namespace on a corrupted
    filesystem, and a couple of flaws that cause problems if the starting
    number of non-reserved inodes written in the on-disk super block is
    intentionally (or corruptly) changed from its default value.  
    
    
    This patch (of 3):
    
    In the current implementation of nilfs2, "nilfs->ns_first_ino", which
    gives the first non-reserved inode number, is read from the superblock,
    but its lower limit is not checked.
    
    As a result, if a number that overlaps with the inode number range of
    reserved inodes such as the root directory or metadata files is set in the
    super block parameter, the inode number test macros (NILFS_MDT_INODE and
    NILFS_VALID_INODE) will not function properly.
    
    In addition, these test macros use left bit-shift calculations using with
    the inode number as the shift count via the BIT macro, but the result of a
    shift calculation that exceeds the bit width of an integer is undefined in
    the C specification, so if "ns_first_ino" is set to a large value other
    than the default value NILFS_USER_INO (=11), the macros may potentially
    malfunction depending on the environment.
    
    Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and
    by preventing bit shifts equal to or greater than the NILFS_USER_INO
    constant in the inode number test macros.
    
    Also, change the type of "ns_first_ino" from signed integer to unsigned
    integer to avoid the need for type casting in comparisons such as the
    lower bound check introduced this time.
    
    Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com
    Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.comSigned-off-by: default avatarRyusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    e2fec219
the_nilfs.h 11.2 KB