summaryrefslogtreecommitdiff
path: root/drivers/message/i2o/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorHyungJung Joo <jhj140711@gmail.com>2026-03-17 14:48:27 +0900
committerChristian Brauner <brauner@kernel.org>2026-03-17 15:35:54 +0100
commit0621c385fda1376e967f37ccd534c26c3e511d14 (patch)
treefbc64d3c3945642b72ac40c2ec596a48604712c7 /drivers/message/i2o/git@git.tavy.me:linux.git
parent2727d44f5d5bc3f8e55a6a0ccf24d8105a5a400e (diff)
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed. Fixes: a3ab7155ea21 ("omfs: add directory routines") Signed-off-by: Hyungjung Joo <jhj140711@gmail.com> Link: https://patch.msgid.link/20260317054827.1822061-1-jhj140711@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'drivers/message/i2o/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-22 03:07:18 +0000