From 9ba55543fc0c6bb1cf8edd63be8802d9ab7e1202 Mon Sep 17 00:00:00 2001 From: "zhangyi (F)" Date: Wed, 28 Aug 2019 11:25:01 -0400 Subject: ext4: fix integer overflow when calculating commit interval If user specify a large enough value of "commit=" option, it may trigger signed integer overflow which may lead to sbi->s_commit_interval becomes a large or small value, zero in particular. UBSAN: Undefined behaviour in ../fs/ext4/super.c:1592:31 signed integer overflow: 536870912 * 1000 cannot be represented in type 'int' [...] Call trace: [...] [] ubsan_epilogue+0x34/0x9c lib/ubsan.c:166 [] handle_overflow+0x228/0x280 lib/ubsan.c:197 [] __ubsan_handle_mul_overflow+0x4c/0x68 lib/ubsan.c:218 [] handle_mount_opt fs/ext4/super.c:1592 [inline] [] parse_options+0x1724/0x1a40 fs/ext4/super.c:1773 [] ext4_remount+0x2ec/0x14a0 fs/ext4/super.c:4834 [...] Although it is not a big deal, still silence the UBSAN by limit the input value. Signed-off-by: zhangyi (F) Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara --- fs/ext4/super.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'fs/ext4/super.c') diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 4079605d437a..7310facffa9d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1874,6 +1874,13 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token, } else if (token == Opt_commit) { if (arg == 0) arg = JBD2_DEFAULT_MAX_COMMIT_AGE; + else if (arg > INT_MAX / HZ) { + ext4_msg(sb, KERN_ERR, + "Invalid commit interval %d, " + "must be smaller than %d", + arg, INT_MAX / HZ); + return -1; + } sbi->s_commit_interval = HZ * arg; } else if (token == Opt_debug_want_extra_isize) { sbi->s_want_extra_isize = arg; -- cgit v1.2.1