hpfs: better test for errors

The test if bitmap access is out of bound could errorneously pass if the
device size is divisible by 16384 sectors and we are asking for one bitmap
after the end.

Check for invalid size in the superblock. Invalid size could cause integer
overflows in the rest of the code.

Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/hpfs/map.c b/fs/hpfs/map.c
index 4acb19d78359d4bec83f90b854680dc3962905cf..803d3da3a0feb4e64d9672c6aa137b6b7a800951 100644 (file)
--- a/fs/hpfs/map.c
+++ b/fs/hpfs/map.c
@@ -17,7 +17,8 @@ __le32 *hpfs_map_bitmap(struct super_block *s, unsigned bmp_block,
                         struct quad_buffer_head *qbh, char *id)
 {
        secno sec;
-       if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
+       unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
+       if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
                hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
                return NULL;
        }

diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index a0617e7069579c61baed047b3ba2992b294d6082..962e90c37aec64ec95773467f146951995c9adc1 100644 (file)
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -558,7 +558,13 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent)
        sbi->sb_cp_table = NULL;
        sbi->sb_c_bitmap = -1;
        sbi->sb_max_fwd_alloc = 0xffffff;
-       
+
+       if (sbi->sb_fs_size >= 0x80000000) {
+               hpfs_error(s, "invalid size in superblock: %08x",
+                       (unsigned)sbi->sb_fs_size);
+               goto bail4;
+       }
+
        /* Load bitmap directory */
        if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
                goto bail4;