Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 967ac8af4475ce45474800709b12137aa7634c77
commit967ac8af4475ce45474800709b12137aa7634c77[log] [tgz]
authorHaogang Chen <haogangchen@gmail.com>Mon May 28 14:21:55 2012 -0400
committerTheodore Ts'o <tytso@mit.edu>Mon May 28 14:21:55 2012 -0400
treeb40d665c1620e801f313ff516c7986e8c3cdbd59
parent9d99012ff26380a09092a9fddbb6e5f996dc631f [diff]
ext4: fix potential integer overflow in alloc_flex_gd()

In alloc_flex_gd(), when flexbg_size is large, kmalloc size would
overflow and flex_gd->groups would point to a buffer smaller than
expected, causing OOB accesses when it is used.

Note that in ext4_resize_fs(), flexbg_size is calculated using
sbi->s_log_groups_per_flex, which is read from the disk and only bounded
to [1, 31]. The patch returns NULL for too large flexbg_size.

Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@kernel.org
1 file changed
tree: b40d665c1620e801f313ff516c7986e8c3cdbd59
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS