DivestOS/Patches/Linux_CVEs/CVE-2017-10662/0.patch

From b69c3038bb41fa18c038ed93cf52123fda7f8c69 Mon Sep 17 00:00:00 2001
From: Jin Qian <jinqian@google.com>
Date: Tue, 25 Apr 2017 16:28:48 -0700
Subject: [PATCH] UPSTREAM: f2fs: sanity check segment count

commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream.

F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 36815012
Change-Id: I30ea36df066bc07e32e767336b7cae12063fe415
---
 fs/f2fs/super.c         | 8 ++++++++
 include/linux/f2fs_fs.h | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 03ab8b830940b..77b2cd5ddd569 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -434,6 +434,14 @@ static int sanity_check_raw_super(struct super_block *sb,
 		f2fs_msg(sb, KERN_INFO, "Invalid log sectors per block");
 		return 1;
 	}
+
+	if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
+		f2fs_msg(sb, KERN_INFO,
+			"Invalid segment count (%u)",
+			le32_to_cpu(raw_super->segment_count));
+		return 1;
+	}
+
 	return 0;
 }
 
diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
index df6fab82f87e7..fdb6cb9fe0bb3 100644
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -235,6 +235,12 @@ struct f2fs_nat_block {
 #define SIT_ENTRY_PER_BLOCK (PAGE_CACHE_SIZE / sizeof(struct f2fs_sit_entry))
 
 /*
+ * F2FS uses 4 bytes to represent block address. As a result, supported size of
+ * disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
+ */
+#define F2FS_MAX_SEGMENT       ((16 * 1024 * 1024) / 2)
+
+/*
  * Note that f2fs_sit_entry->vblocks has the following bit-field information.
  * [15:10] : allocation type such as CURSEG_XXXX_TYPE
  * [9:0] : valid block count