hpfs: better test for errors

commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.

The test if bitmap access is out of bound could errorneously pass if the
device size is divisible by 16384 sectors and we are asking for one bitmap
after the end.

Check for invalid size in the superblock. Invalid size could cause integer
overflows in the rest of the code.

Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/hpfs/map.c b/fs/hpfs/map.c
index a790821366a7f045d068fe47df517dc479b0ecce..ea3d1ca43e196055402572e2cc3bb05b99eeb96c 100644 (file)
--- a/fs/hpfs/map.c
+++ b/fs/hpfs/map.c
@@ -17,7 +17,8 @@ unsigned int *hpfs_map_bitmap(struct super_block *s, unsigned bmp_block,
                         struct quad_buffer_head *qbh, char *id)
 {
        secno sec;
-       if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
+       unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
+       if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
                hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
                return NULL;
        }

diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 54f6eccb79d9ed8c67f7ada5a96867ad4c61b37c..0bf578dbfce7fb74bf48499ca5c6c8d801f931ed 100644 (file)
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -552,7 +552,13 @@ static int hpfs_fill_super(struct super_block *s, void *options, int silent)
        sbi->sb_cp_table = NULL;
        sbi->sb_c_bitmap = -1;
        sbi->sb_max_fwd_alloc = 0xffffff;
-       
+
+       if (sbi->sb_fs_size >= 0x80000000) {
+               hpfs_error(s, "invalid size in superblock: %08x",
+                       (unsigned)sbi->sb_fs_size);
+               goto bail4;
+       }
+
        /* Load bitmap directory */
        if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
                goto bail4;