Commit 3e4f8da9 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Greg Kroah-Hartman

ext4: reject inodes with negative size

commit 7e6e1ef4 upstream.

Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.

[ Added EXT4_ERROR_INODE() to mark file system as corrupted. -TYT]

Fixes: a48380f7 (ext4: rename i_dir_acl to i_size_high)
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8084f57b
...@@ -4434,6 +4434,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) ...@@ -4434,6 +4434,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
struct inode *inode; struct inode *inode;
journal_t *journal = EXT4_SB(sb)->s_journal; journal_t *journal = EXT4_SB(sb)->s_journal;
long ret; long ret;
loff_t size;
int block; int block;
uid_t i_uid; uid_t i_uid;
gid_t i_gid; gid_t i_gid;
...@@ -4534,6 +4535,11 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) ...@@ -4534,6 +4535,11 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
ei->i_file_acl |= ei->i_file_acl |=
((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32; ((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
inode->i_size = ext4_isize(raw_inode); inode->i_size = ext4_isize(raw_inode);
if ((size = i_size_read(inode)) < 0) {
EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
ret = -EFSCORRUPTED;
goto bad_inode;
}
ei->i_disksize = inode->i_size; ei->i_disksize = inode->i_size;
#ifdef CONFIG_QUOTA #ifdef CONFIG_QUOTA
ei->i_reserved_quota = 0; ei->i_reserved_quota = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment