ext4: fix potential integer overflow in alloc_flex_gd() (967ac8af) · Commits · Android-smartphones / zte / blade-a610 / work in progress / mediatek kernel

Commit 967ac8af authored May 28, 2012 by Haogang Chen Committed by Theodore Ts'o May 28, 2012

ext4: fix potential integer overflow in alloc_flex_gd()



In alloc_flex_gd(), when flexbg_size is large, kmalloc size would
overflow and flex_gd->groups would point to a buffer smaller than
expected, causing OOB accesses when it is used.

Note that in ext4_resize_fs(), flexbg_size is calculated using
sbi->s_log_groups_per_flex, which is read from the disk and only bounded
to [1, 31]. The patch returns NULL for too large flexbg_size.

Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@kernel.org

parent 9d99012f

Hide whitespace changes

Inline Side-by-side

Please register or to comment